利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Unpacking .NET Malware With Process Hacker and Dnspy
利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件
Unpacking an Asyncrat loader using Process Hacker and Dnspy
利用 Process Hacker 与 Dnspy 脱壳 Asyncrat 加载器

Unpacking malware can be a tedious task. Often involving intensive static analysis and in-depth knowledge of debugging.


In this post, I'll demonstrate an easy method that can be used to unpack files that ultimately load a .NET based malware.

在本篇文章中,我将演示一种简单的方法,用于脱壳最终会加载基于 .NET 的恶意软件的文件。

This method primarily involves running the file and monitoring for process executions using Process Hacker. Upon execution, Process Hacker can be used to observe any .NET files loaded into memory. If a file is identified, it can then be obtained using Dnspy.

该方法主要包括运行文件并使用 Process Hacker 监控进程执行。在执行过程中,Process Hacker 可用于观察加载到内存中的任何 .NET 文件。如果识别到 .NET 文件,就可以使用 Dnspy 获取该文件。


Sha256: 05c2195aa671d62b3b47ff42630db25f39453375de9cffa92fc4a67fa5b6493b



I will begin analysis by saving the file into my virtual machine and unzipping it with the password infected.


After unzipping, I will also create a copy of the file with a shorter filename.


利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

I will also perform a basic initial assessment using Detect-it-easy.
我还将使用 Detect-it-easy 进行基本的初步检查。

Initial Assessment with Detect-it-easy
使用 Detect-it-easy 进行初步检查
My primary goal here is to review the entropy graph. Here I can determine if there are any high-entropy areas large enough to store a file.

In this case, there is such an area (as seen in below screenshot). This area suggests that the file could be a loader (as it contains a possible encrypted payload).

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Initial Assessment With DnSpy

使用 DnSpy 进行初步检查

Before attempting to unpack the file, I will also open it within DnSpy.

在尝试脱壳文件之前,我还会在 DnSpy 中打开它。

This is to make sure that the file is not already unpacked. In my initial assessment, I didn't see any functionality that suggested the file was already unpacked.


利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Observing Unpacked Content With Process Hacker

使用 Process Hacker 观察已脱壳的内容

At this point, I want to run the file and attempt to let it unpack itself.


This can be achieved by running the file for a few seconds, and observing the process as well as any new processes that are spawned.


After a few seconds have passed, we can go ahead and view the process to see if any new .NET modules have been loaded.

几秒钟后,我们可以继续查看进程,看看是否加载了任何新的 .NET 模块。

Running the file for a few seconds, we can see that it spawns aspnet_compiler.exe. This is suspicious and something we can hone in on.

运行该文件几秒钟后,我们可以看到它生成了 aspnet_compiler.exe。这很可疑,我们可以仔细检查一下。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

We can also observe that after the new process is spawned, the original process 05c.exe exits a few seconds later.

我们还可以观察到,在生成新进程后,原始进程 05c.exe 会在几秒钟后退出。

This is an indicator that any suspicious or unpacked content is likely contained within aspnet_compiler.exe.

这表明任何可疑或未脱壳的内容都可能包含在 aspnet_compiler.exe 中。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Identifying Unpacked .NET Files Using Process Hacker

使用 Process Hacker 识别脱壳后的 .NET 文件

With the suspicious aspnet_compiler.exe identified, we can go ahead and inspect it using Process Hacker.

确定了可疑的 aspnet_compiler.exe,我们就可以使用 Process Hacker 对其进行检查了。

We can do this by double clicking on the process name, or right-clicking and selecting "Properties".


This will open a window like the following. There are two main points here.


* .NET Assemblies tab - This shows us that some kind of .NET module is loaded into the process.

.NET Assemblies(.NET 程序集)选项卡 - 这表明进程中加载了某种 .NET 模块。

* Image Type - 32bit - The process is 32-bit, this tells us that any future debugging will require a 32-bit debugger (eg Dnspy x86)

镜像类型 - 32 位 - 进程是 32 位的,这表明今后的任何调试都需要 32 位调试器(例如 Dnspy x86)

* (Verified) Microsoft Corporation - This is likely a legitimate process that has been hijacked.

(已验证)微软公司 - 这很可能是一个被劫持的合法进程。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Inspecting Loaded .NET Modules With Process Hacker

使用 Process Hacker 检查已加载的 .NET 模块

We can go ahead an inspect any loaded modules with the .NET assemblies tab.

我们可以使用“.NET 程序集”选项卡检查任何已加载的模块。

This will list any loaded .NET modules within the current process. As well as information for each module. We want to look for loaded modules that look out of place, or different to the others.

这将列出当前进程中任何已加载的 .NET 模块,以及每个模块的信息。我们要查找那些看起来与其他模块不匹配或不同的加载模块。

In this case, there is a loaded module named vik that doesn't look right. It has a completely different style of name to the other modules, and doesn't have a corresponding native image path (like all the other modules)

在本例中,有一个名为 vik 的加载模块看起来不太对劲。它的命名风格与其他模块完全不同,也没有相应的本地镜像路径(与其他模块一样)。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

If we look closer, we can also see that the "regular" path is that of aspnet_compiler.exe. This is suspicious, why would aspnet_compiler be named vik?

如果我们仔细观察,还可以发现“常规”路径是 aspnet_compiler.exe。这很可疑,为什么 aspnet_compiler 会被命名为 vik? 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Verifying Suspicious .NET Modules Using DnSpy

使用 DnSpy 验证可疑的 .NET 模块

Now that we have identified a suspicious module, we can go ahead and obtain it using DnSpy.

现在我们已经确定了一个可疑模块,可以继续使用 DnSpy 获取它。

To obtain the file, we can open up Dnspy (32-bit) and attach to the aspnet_compiler.exe process.

要获取文件,我们可以打开 Dnspy(32 位)并附加到 aspnet_compiler.exe 进程。

This will allow us to inspect the loaded modules and view their corresponding source code.


Attaching Dnspy To a .NET Process

将 Dnspy 附加到 .NET 进程

We can attach to aspnet_compiler.exe using Debug -> Attach To Process -> Aspnet_compiler.exe

我们可以使用 “调试”->“附加到进程”->“Aspnet_compiler.exe”来附加到 aspnet_compiler.exe。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

With the process attached, we now want to inspect any loaded modules.


We can do this by opening a "Modules" tab, using Debug -> Windows -> Modules.


利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

With the new Modules tab, we can list the same loaded modules that were observed with Process Hacker.

通过新的“模块”选项卡,我们可以列出与 Process Hacker 中观察到的相同的已加载模块。

Interestingly, there is no vik module, but there is an aspnet_compiler.exe module that we know was associated with vik.

有趣的是,这里没有 vik 模块,但有一个 aspnet_compiler.exe 模块,我们知道该模块与 vik 有关。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

By clicking on aspnet_c0mpiler.exe, and selecting "Go To Module", we can view the module contents and corresponding decompiled code.

点击 aspnet_c0mpiler.exe,选择“转到模块”,我们就可以查看模块内容和相应的反编译代码。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

However, this will open the original aspnet_compiler.exe file from disk and not from within memory.

不过,这将从磁盘而不是内存中打开原始的 aspnet_compiler.exe 文件。

Hence, the "real" file will be loaded and we won't see anything suspicious.


利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Instead, we can go back and re-open the file from memory.


利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

With the file opened "from memory", we can obtain the real suspicious content. Which has likely been used to overwrite the original file in memory.


Here we can see the vik module loaded into DnSpy.

在这里,我们可以看到加载到 DnSpy 中的 vik 模块。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Jumping to the Entry Point of .NET Malware

跳转到 .NET 恶意软件的入口点

To inspect the vik file more closely, we can righ-click on vik and select "Go To Entry Point".

要更仔细地检查 vik 文件,我们可以右键单击 vik 并选择“转到入口点”。

This will take us to the beginning of the code. Which very closely resembles that of Asyncrat.

这将带我们进入代码的开头。这与 Asyncrat 的代码非常相似。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Clicking on the Settings.InitializeSettings() method, we can see where the configuration values are decrypted and loaded into the file.

点击 Settings.InitializeSettings() 方法,我们可以看到配置值被解密并加载到文件中。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Identifying the Malware With Google


If you haven't seen Asyncrat before, you could instead take some of the values in the "unpacked" sample and google them.

如果你以前没见过 Asyncrat,你可以将已脱壳的样本中的一些值放到谷歌上搜索。

If the malware is known and there are existing reports, you will likely encounter reports that will suggest which family the malware belongs to.


You may have to experiment with which values to google, some return better results than others. Below we can see Asyncrat comes up straight away when googling Settings.InitializeSettings Malware

有些值返回的结果比其他值更好,你可能需要尝试在谷歌上搜索不同的值。下面我们可以看到,谷歌搜索“Settings.InitializeSettings Malware”时,会直接出现 Asyncrat。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Verifying With a Sandbox


With an unpacked module now obtained, you can use DnSpy to save the file for additional analysis.

获得已脱壳的模块后,你可以使用 DnSpy 保存文件,以便进行更多分析。

From here, you can submit the unpacked file to a sandbox or scan it against a set of Yara rules. This is useful if the strings/functions within the file are obfuscated or you aren't able to obtain a good result from google.

在这里,你可以将解压后的文件提交到沙箱,或根据一组 Yara 规则进行扫描。如果文件中的字符串/函数被混淆或无法从谷歌获得良好的结果,这将非常有用。

This will save the file from memory, so you don't have to worry about saving the "wrong” file


利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Submitting the File To Hatching Triage

将文件提交到 Hatching Triage

After saving, you can submit the file to an online sandbox like Hatching Triage.

保存后,你可以将文件提交到在线沙箱,如 Hatching Triage。

Hatching Triage is correctly able to identify the file as Asyncrat and extract the associated configuration values.

Hatching Triage 可以正确地将文件识别为 Asyncrat,并提取相关的配置值。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

Submitting the File to Unpacme

向 Unpacme 提交文件

Another option which is effective and significantly cheaper for researchers, is Unpacme.

对研究人员来说,另一个有效且成本更低的选择是 Unpacme。

Unpacme is correctly able to identify the file as Asyncrat and extract all configuration values.

Unpacme 能够将文件正确识别为 Asyncrat,并提取所有配置值。 

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件



In this post, we performed some basic analysis of an Asyncrat loader, and utilised Process Hacker to identify an unpacked payload. We then used Dnspy to obtain the unpacked malware and identify it as Asyncrat.

在这篇文章中,我们对 Asyncrat 加载器进行了一些基本分析,并利用 Process Hacker 来识别已脱壳的 payload。然后,我们使用 Dnspy 获取了已脱壳的恶意软件,并将其识别为 Asyncrat。 

原文始发于微信公众号(OnionSec):利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件

版权声明:admin 发表于 2023年11月5日 上午7:14。
转载请注明:利用 Process Hacker 与 Dnspy 脱壳 .NET 恶意软件 | CTF导航