概述
在上一篇《以中国为目标的DinodasRAT Linux后门剖析及通信解密尝试》文章中,笔者对DinodasRAT Linux后门的功能及通信数据包进行了简单剖析,实现了对DinodasRAT Linux后门心跳数据包的解密尝试。
虽然目前可对DinodasRAT Linux后门的通信数据包进行解密,但笔者认为目前对DinodasRAT Linux后门的了解还不是很充分。
因此,为了能够更进一步的对DinodasRAT Linux后门的攻击活动进行剖析,笔者准备从如下几个角度复现DinodasRAT Linux后门的攻击场景及攻击利用过程中的DinodasRAT Linux后门的通信模型:
- 后门攻击场景复现:基于模拟构建的DinodasRAT Linux后门控制端程序,复现DinodasRAT Linux后门的远控攻击场景;
- 关键代码分析:梳理分析DinodasRAT Linux后门通信模型相关的关键代码;
- 后门通信模型剖析:梳理DinodasRAT Linux后门各远控指令的通信模型;
- 模拟构建DinodasRAT Linux后门控制端:通过模拟构建DinodasRAT Linux后门控制端程序以实现与DinodasRAT Linux后门的交互效果;
-
后门攻击场景复现
为了能够更好的还原DinodasRAT Linux后门的攻击利用场景,笔者尝试模拟构建了一款DinodasRAT Linux后门控制端程序,目前可有效的与DinodasRAT Linux后门进行交互,相关运行效果如下:
-
相关通信数据包截图如下:
相关操作流程如下:
- 被控端执行UninstallMm指令(卸载自身)前运行情况
- 被控端执行UninstallMm指令(卸载自身)后运行情况
- 控制端
F:\GolandProjects\awesomeProject5>awesomeProject5.exe Server started. Listening on 0.0.0.0:80 请选择需执行的功能:help、DirClass、DelDir、EnumProcess、DealExShell、UninstallMm >help ********支持功能如下******** DirClass:查看目录 DelDir:删除目录 EnumProcess:查看进程 DealExShell:执行shell命令 UninstallMm:卸载自身 ************************** 请选择需执行的功能:help、DirClass、DelDir、EnumProcess、DealExShell、UninstallMm >DealExShell DealExShell指令-请输入需执行的shell命令: >ifconfig *******************DealExShell:ifconfig******************* eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.153.133 netmask 255.255.255.0 broadcast 192.168.153.255inet6 fe80::51d9:b9bf:4800:15b1 prefixlen 64 scopeid 0x20<link>ether 00:0c:29:7a:63:b6 txqueuelen 1000 (Ethernet)RX packets 117418 bytes 10766685 (10.2 MiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 127228 bytes 56957898 (54.3 MiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1000 (Local Loopback)RX packets 4 bytes 240 (240.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 4 bytes 240 (240.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0请选择需执行的功能:help、DirClass、DelDir、EnumProcess、DealExShell、UninstallMm >DirClass DirClass指令-请输入需查看的目录路径: >/tmp/ *******************DirClass:/tmp/******************* .X0-lock 1 11 2023-07-20 21:07:38 2 .XIM-unix 0 0 2023-07-20 21:07:37 2 systemd-private-07e721d8e32643438b178572cb153efe-colord.service-Oil9iv 0 0 2023-07-20 21:08:35 2 vmware-root_484-868851811 0 0 2023-07-20 21:07:38 2 .font-unix 0 0 2023-07-20 21:07:37 2 .xfsm-ICE-V8T571 1 398 2023-07-20 21:08:33 2 ssh-XXXXXXVA2uMv 0 0 2023-07-20 21:08:33 2 systemd-private-07e721d8e32643438b178572cb153efe-systemd-logind.service-3sTMOv 0 0 2023-07-20 21:07:38 2 systemd-private-07e721d8e32643438b178572cb153efe-haveged.service-hyFQUI 0 0 2023-07-20 21:07:37 2 systemd-private-07e721d8e32643438b178572cb153efe-upower.service-OpfV78 0 0 2023-07-20 21:08:34 2 .X11-unix 0 0 2024-05-06 02:04:10 2 systemd-private-07e721d8e32643438b178572cb153efe-ModemManager.service-r0SmEk 0 0 2023-07-20 21:07:38 2 VMwareDnD 0 0 2024-04-29 21:59:26 2 .ICE-unix 0 0 2023-07-20 21:08:33 2请选择需执行的功能:help、DirClass、DelDir、EnumProcess、DealExShell、UninstallMm >EnumProcess *******************EnumProcess:******************* systemd root 1 kthreadd root 2 rcu_gp root 3 rcu_par_gp root 4 slub_flushwq root 5 netns root 6 kworker/0:0H-events_highpri root 8 mm_percpu_wq root 10 rcu_tasks_kthread root 11 rcu_tasks_rude_kthread root 12 rcu_tasks_trace_kthread root 13 ksoftirqd/0 root 14 rcu_preempt root 15 migration/0 root 16 cpuhp/0 root 18 cpuhp/1 root 19 migration/1 root 20 ksoftirqd/1 root 21 cpuhp/2 root 24 migration/2 root 25 ksoftirqd/2 root 26 kworker/2:0H-events_highpri root 28 cpuhp/3 root 29 migration/3 root 30 ksoftirqd/3 root 31 kworker/3:0H-events_highpri root 33 kdevtmpfs root 38 inet_frag_wq root 39 kauditd root 40 khungtaskd root 42 oom_reaper root 43 writeback root 44 kcompactd0 root 45 ksmd root 46 khugepaged root 47 kintegrityd root 48 kblockd root 49 blkcg_punt_bio root 50 tpm_dev_wq root 51 edac-poller root 52 devfreq_wq root 53 kworker/0:1H-kblockd root 54 kswapd0 root 55 kthrotld root 64 irq/24-pciehp root 66 irq/25-pciehp root 67 irq/26-pciehp root 68 irq/27-pciehp root 69 irq/28-pciehp root 70 irq/29-pciehp root 71 irq/30-pciehp root 72 irq/31-pciehp root 73 irq/32-pciehp root 74 irq/33-pciehp root 75 irq/34-pciehp root 76 irq/35-pciehp root 77 irq/36-pciehp root 78 irq/37-pciehp root 79 irq/38-pciehp root 80 irq/39-pciehp root 81 irq/40-pciehp root 82 irq/41-pciehp root 83 irq/42-pciehp root 84 irq/43-pciehp root 85 irq/44-pciehp root 86 irq/45-pciehp root 87 irq/46-pciehp root 88 irq/47-pciehp root 89 irq/48-pciehp root 90 irq/49-pciehp root 91 irq/50-pciehp root 92 irq/51-pciehp root 93 irq/52-pciehp root 94 irq/53-pciehp root 95 irq/54-pciehp root 96 irq/55-pciehp root 97 acpi_thermal_pm root 98 xenbus_probe root 99 mld root 100 ipv6_addrconf root 101 kstrp root 106 zswap-shrink root 111 kworker/u65:0-hci0 root 112 kworker/1:1H-kblockd root 160 kworker/2:1H-kblockd root 171 kworker/3:1H-kblockd root 172 cryptd root 181 ata_sff root 182 scsi_eh_0 root 183 scsi_tmf_0 root 184 mpt_poll_0 root 185 scsi_eh_1 root 187 mpt/0 root 188 scsi_tmf_1 root 189 irq/16-vmwgfx root 204 card0-crtc0 root 206 card0-crtc1 root 207 card0-crtc2 root 208 card0-crtc3 root 209 card0-crtc4 root 210 card0-crtc5 root 212 card0-crtc6 root 214 card0-crtc7 root 215 scsi_eh_2 root 268 scsi_tmf_2 root 269 kworker/1:2H-kblockd root 278 jbd2/sda1-8 root 309 ext4-rsv-conver root 310 systemd-journal root 364 vmware-vmblock- root 381 systemd-udevd root 390 haveged root 462 vmtoolsd root 484 irq/56-vmw_vmci root 588 irq/57-vmw_vmci root 590 kworker/u65:2-hci0 root 668 dbus-daemon message+ 811 polkitd polkitd 814 systemd-logind root 816 rpciod root 817 xprtiod root 818 NetworkManager root 819 cron root 835 ModemManager root 838 lightdm root 858 Xorg root 872 agetty root 873 rtkit-daemon rtkit 997 lightdm root 1461 systemd /usr/lib/systemd/systemd kali 1467 (sd-pam) kali 1468 pipewire /usr/bin/pipewire kali 1483 wireplumber /usr/bin/wireplumber kali 1484 pipewire-pulse /usr/bin/pipewire kali 1485 dbus-daemon /usr/bin/dbus-daemon kali 1487 gnome-keyring-d /usr/bin/gnome-keyring-daemon kali 1488 xfce4-session /usr/bin/xfce4-session kali 1498 ssh-agent kali 1567 at-spi-bus-laun /usr/libexec/at-spi-bus-launcher kali 1578 dbus-daemon /usr/bin/dbus-daemon kali 1585 at-spi2-registr /usr/libexec/at-spi2-registryd kali 1596 gpg-agent kali 1608 xfwm4 /usr/bin/xfwm4 kali 1610 gvfsd /usr/libexec/gvfsd kali 1614 gvfsd-fuse /usr/libexec/gvfsd-fuse kali 1620 xfsettingsd /usr/bin/xfsettingsd kali 1635 upowerd root 1639 xfce4-panel /usr/bin/xfce4-panel kali 1645 Thunar /usr/bin/thunar kali 1650 xfdesktop /usr/bin/xfdesktop kali 1661 panel-1-whisker /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 kali 1665 panel-13-cpugra /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 kali 1670 xiccd /usr/bin/xiccd kali 1671 panel-14-systra /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 kali 1672 panel-15-genmon /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 kali 1676 xfce4-notifyd /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd kali 1678 panel-16-pulsea /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 kali 1686 colord colord 1698 panel-17-notifi /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 kali 1701 nm-applet /usr/bin/nm-applet kali 1703 xcape /usr/bin/xcape kali 1708 panel-18-power- /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 kali 1711 light-locker /usr/bin/light-locker kali 1716 panel-22-action /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 kali 1722 dconf-service /usr/libexec/dconf-service kali 1725 polkit-gnome-au /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 kali 1727 xfce4-power-man /usr/bin/xfce4-power-manager kali 1752 agent /usr/libexec/geoclue-2.0/demos/agent kali 1755 blueman-applet /usr/bin/python3.11 kali 1782 vmtoolsd /usr/bin/vmtoolsd kali 1783 obexd /usr/libexec/bluetooth/obexd kali 2006 gvfs-udisks2-vo /usr/libexec/gvfs-udisks2-volume-monitor kali 2019 udisksd root 2023 gvfs-mtp-volume /usr/libexec/gvfs-mtp-volume-monitor kali 2038 gvfs-afc-volume /usr/libexec/gvfs-afc-volume-monitor kali 2043 gvfs-gphoto2-vo /usr/libexec/gvfs-gphoto2-volume-monitor kali 2049 gvfs-goa-volume /usr/libexec/gvfs-goa-volume-monitor kali 2054 gvfsd-trash /usr/libexec/gvfsd-trash kali 2068 gvfsd-metadata /usr/libexec/gvfsd-metadata kali 2074 qterminal /usr/bin/qterminal kali 2211 zsh /usr/bin/zsh kali 2214 linux_server64 /home/kali/Desktop/linux_server64 kali 6586 zsh /usr/bin/zsh kali 6611 kworker/3:2-mm_percpu_wq root 666030 kworker/2:0-events root 671000 kworker/1:1-mm_percpu_wq root 676828 kworker/0:0-cgroup_destroy root 687692 kworker/u64:0-flush-8:0 root 693826 kworker/2:1-mm_percpu_wq root 696046 kworker/2:2-mpt_poll_0 root 698531 kworker/1:2-ata_sff root 699316 kworker/u64:2-flush-8:0 root 699787 kworker/0:2-events root 699926 kworker/u64:3-events_unbound root 699928 kworker/3:0-cgroup_destroy root 699936 tumblerd /usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd kali 700635 kworker/1:0-ata_sff root 702014 test /home/kali/Desktop/test kali 702951 sh /usr/bin/dash kali 702959 test /home/kali/Desktop/test kali 702960请选择需执行的功能:help、DirClass、DelDir、EnumProcess、DealExShell、UninstallMm >UninstallMm *******************UninstallMm:******************* UninstallMm okF:\GolandProjects\awesomeProject5>
关键代码分析
通信框架
在《以中国为目标的DinodasRAT Linux后门剖析及通信解密尝试》文章的“DinodasRAT通信解密尝试”章节,笔者对DinodasRAT Linux后门的通信加解密原理进行了详细的剖析,因此,这里笔者将不再对DinodasRAT Linux后门中的通信加解密技术进行描述。
为了能够快速了解DinodasRAT Linux后门的通信逻辑,笔者又对DinodasRAT Linux后门的反编译代码进行了详细的分析梳理,发现:
- DinodasRAT Linux后门运行后,将循环发送心跳通信
- DinodasRAT Linux后门运行后,将从控制端循环接收控制指令,成功执行远控指令后,将返回执行结果信息
相关代码截图如下:
DinodasRAT Linux后门通信数据接收函数代码截图如下:
DinodasRAT Linux后门通信数据发送函数代码截图如下:
远控功能与远控指令编号的对应关系梳理如下:
| 远控函数 | 远控功能 | 远控编号 |
|---|---|---|
| DirClass | 列目录 | 0x02 |
| DelDir | 删除目录 | 0x03 |
| UpLoadFile | 上传文件 | 0x05 |
| StopDownLoadFile | 停止上传文件 | 0x06 |
| DownLoadFile | 下载文件 | 0x08 |
| StopDownFile | 停止下载文件 | 0x09 |
| DealChgIp | 修改C&C地址 | 0x0E |
| CheckUserLogin | 检查已登录的用户 | 0x0F |
| EnumProcess | 枚举进程列表 | 0x11 |
| StopProcess | 终止进程 | 0x12 |
| EnumService | 枚举服务 | 0x13 |
| ControlService | 控制服务 | 0x14 |
| DealExShell | 执行shell | 0x18 |
| DealProxy | 执行指定文件 | 0x1A |
| StartShell | 开启shell | 0x1B |
| ReRestartShell | 重启shell | 0x1C |
| StopShell | 停止当前shell的执行 | 0x1D |
| WriteShell | 将命令写入当前shell | 0x1E |
| DealFile | 下载并更新后门版本 | 0x27 |
| DealLocalProxy | 发送“ok” | 0x28 |
| ConnectCtl | 控制连接类型 | 0x2B |
| ProxyCtl | 控制代理类型 | 0x2C |
| Trans_mode | 设置或获取文件传输模式(TCP/UDP) | 0x2D |
| UninstallMm | 卸载自身 | 0x2E |
