使用dnlib自动化提取AgentTesla字符串 - 完整教学文档<\/h1>

1. AgentTesla背景介绍<\/h2>

1.1 AgentTesla概述<\/h3>

AgentTesla是一种典型的Windows间谍木马\/信息窃取器，具有以下特征：<\/p>

类型<\/strong>：远程访问木马（RAT）、间谍木马、信息窃取木马<\/li>
平台<\/strong>：主要针对Windows系统<\/li>
开发语言<\/strong>：基于.NET框架（C#\/VB.NET）<\/li>
活跃时间<\/strong>：自2014年开始持续活跃并不断更新<\/li>

商业模式<\/strong>：以"恶意软件即服务"（MaaS）形式在地下市场销售<\/li> <\/ul>
1.2 样本信息<\/h3>

样本哈希<\/strong>：4c321c77e5a9381005c96bc7fc887b962bcd8c82fcabf579f3301d583055f59d<\/li>
保护机制<\/strong>：使用Obfuscar保护器进行代码混淆<\/li> <\/ul>
2. 静态分析基础<\/h2>
2.1 字符串加密特征分析<\/h3>
在分析过程中发现关键特征：<\/p>

存在大型字节数组用于存储加密字符串<\/li>
字符串解密算法：str[i] ^ i ^ 170<\/code><\/li>
字符串存储方式：连续存储，无分隔符<\/li>
访问方式：通过索引、偏移量和长度参数提取子字符串<\/li> <\/ul> 2.2 Obfuscar字符串隐藏机制<\/h3> 通过分析Obfuscar源代码发现：<\/p> 字符串隐藏通过HideStrings()<\/code>函数实现<\/li> 核心逻辑在ProcessStrings()<\/code>函数中<\/li> 使用(index, start, count)三元组管理字符串访问<\/li> <\/ul> 3. dnlib技术基础<\/h2> 3.1 dnlib简介<\/h3> dnlib是一个用于读取和操作.NET程序集的C#库，主要功能包括：<\/p> 解析.NET程序集的元数据（类型、方法、字段、属性等）<\/li> 分析IL代码指令<\/li> 提取资源文件和清单信息<\/li> 类似于IDA在原生代码分析中的作用<\/li> <\/ul> 3.2 关键概念说明<\/h3> Metadata Token结构<\/strong>：<\/p> Token = (表号 << 24) | 行号(RID)<\/li> 示例：Token: 0x0400017F RID: 383 0x04：表号=4（FieldDef表）<\/li> 0x00017F：行号=383<\/li> <\/ul> <\/li> <\/ul> 4. 自动化提取技术实现<\/h2> 4.1 环境配置要求<\/h3> # 必需组件<\/span> <\/span><\/span>-<\/span> Python环境 <\/span><\/span>-<\/span> pythonnet包（<\/span>pip install pythonnet）<\/span> <\/span><\/span>-<\/span> dnlib.<\/span>dll（<\/span>正确版本）<\/span> <\/span><\/span>-<\/span> pefile包（<\/span>用于PE文件分析）<\/span> <\/span><\/span><\/code><\/pre>4.2 核心实现步骤<\/h3> 步骤1：加载PE文件模块<\/h4> import<\/span> clr <\/span><\/span>import<\/span> dnlib <\/span><\/span>from<\/span> dnlib.DotNet import<\/span> *<\/span> <\/span><\/span> <\/span><\/span># 加载dnlib<\/span> <\/span><\/span>clr.<\/span>AddReference('dnlib.dll'<\/span>) <\/span><\/span> <\/span><\/span># 加载目标样本<\/span> <\/span><\/span>mw_module =<\/span> dnlib.<\/span>DotNet.<\/span>ModuleDefMD.<\/span>Load("sample_path"<\/span>) <\/span><\/span><\/code><\/pre>步骤2：遍历类型和方法结构<\/h4> for<\/span> per_type in<\/span> mw_module.<\/span>GetTypes(): <\/span><\/span> if<\/span> not<\/span> per_type.<\/span>HasMethods: <\/span><\/span> continue<\/span> <\/span><\/span> <\/span><\/span> for<\/span> per_method in<\/span> per_type.<\/span>Methods: <\/span><\/span> if<\/span> not<\/span> per_method.<\/span>HasBody or<\/span> not<\/span> per_method.<\/span>Body.<\/span>HasInstructions: <\/span><\/span> continue<\/span> <\/span><\/span><\/code><\/pre>步骤3：定位加密数组<\/h4> 关键识别特征：RuntimeHelpers::InitializeArray<\/code>调用<\/p> for<\/span> index in<\/span> range(per_method.<\/span>Body.<\/span>Instructions.<\/span>Count): <\/span><\/span> if<\/span> "RuntimeHelpers::InitializeArray"<\/span> in<\/span> per_method.<\/span>Body.<\/span>Instructions[index].<\/span>ToString(): <\/span><\/span> # 前一条指令包含数组信息<\/span> <\/span><\/span> array_instruction =<\/span> per_method.<\/span>Body.<\/span>Instructions[index -<\/span> 1<\/span>] <\/span><\/span><\/code><\/pre>步骤4：提取数组数据<\/h4> if<\/span> isinstance(array_instruction.<\/span>Operand, dnlib.<\/span>DotNet.<\/span>FieldDef) and<\/span> array_instruction.<\/span>Operand.<\/span>HasFieldRVA: <\/span><\/span> array_data =<\/span> array_instruction.<\/span>Operand.<\/span>InitialValue <\/span><\/span> array_size =<\/span> len(array_data) <\/span><\/span><\/code><\/pre>步骤5：识别解密密钥<\/h4> 通过分析XOR操作模式识别密钥：<\/p> # 特征指令序列：xor → ldc.i4 → xor<\/span> <\/span><\/span>if<\/span> (instructions[idx].<\/span>OpCode ==<\/span> OpCodes.<\/span>Xor and<\/span> <\/span><\/span> instructions[idx +<\/span> 1<\/span>].<\/span>OpCode ==<\/span> OpCodes.<\/span>Ldc_I4 and<\/span> <\/span><\/span> instructions[idx +<\/span> 2<\/span>].<\/span>OpCode ==<\/span> OpCodes.<\/span>Xor): <\/span><\/span> key =<\/span> get_param_value(instructions[idx +<\/span> 1<\/span>]) <\/span><\/span><\/code><\/pre>步骤6：参数提取函数<\/h4> def<\/span> get_ldc_real_value<\/span>(instr): <\/span><\/span> op_name =<\/span> instr.<\/span>OpCode.<\/span>Name <\/span><\/span> if<\/span> op_name ==<\/span> 'ldc.i4'<\/span>: <\/span><\/span> return<\/span> instr.<\/span>Operand <\/span><\/span> elif<\/span> op_name ==<\/span> 'ldc.i4.s'<\/span>: <\/span><\/span> return<\/span> instr.<\/span>Operand <\/span><\/span> elif<\/span> op_name ==<\/span> 'ldc.i4.0'<\/span>: <\/span><\/span> return<\/span> 0<\/span> <\/span><\/span> # 处理其他ldc.i4变体...<\/span> <\/span><\/span><\/code><\/pre>4.3 字符串解密算法<\/h3> def<\/span> decrypt_bytes<\/span>(input_bytes, keyword=<\/span>170<\/span>): <\/span><\/span> result =<\/span> ""<\/span> <\/span><\/span> for<\/span> index, byte in<\/span> enumerate(input_bytes): <\/span><\/span> result +=<\/span> chr(byte ^<\/span> index ^<\/span> keyword) <\/span><\/span> return<\/span> result <\/span><\/span><\/code><\/pre>4.4 字符串切片处理<\/h3> 识别字符串提取函数的参数模式：<\/p> ldc.i4 789 # 索引参数 ldc.i4 10934 # 偏移量参数 ldc.i4.s 17 # 长度参数 call string method # 字符串提取函数调用 <\/code><\/pre> 5. 工程化实现方案<\/h2> 5.1 模块化设计架构<\/h3> 候选密钥收集<\/h4> def<\/span> collect_candidate_keys<\/span>(mw_module): <\/span><\/span> candidate_keys =<\/span> [] <\/span><\/span> for<\/span> per_type in<\/span> mw_module.<\/span>GetTypes(): <\/span><\/span> for<\/span> per_method in<\/span> per_type.<\/span>Methods: <\/span><\/span> # 重点检查构造函数和静态构造函数<\/span> <\/span><\/span> if<\/span> per_method.<\/span>IsConstructor or<\/span> per_method.<\/span>Name ==<\/span> ".cctor"<\/span>: <\/span><\/span> instructions =<\/span> per_method.<\/span>Body.<\/span>Instructions <\/span><\/span> # 识别XOR密钥模式...<\/span> <\/span><\/span> return<\/span> candidate_keys <\/span><\/span><\/code><\/pre>ASCII有效性验证<\/h4> def<\/span> pct_ascii<\/span>(data): <\/span><\/span> """计算字符串的ASCII字符比例"""<\/span> <\/span><\/span> if<\/span> not<\/span> data: <\/span><\/span> return<\/span> 0.0<\/span> <\/span><\/span> valid_chars =<\/span> len([c for<\/span> c in<\/span> data if<\/span> (0<\/span> <=<\/span> ord(c) <<\/span> 128<\/span>) or<\/span> ord(c) ==<\/span> 0<\/span>]) <\/span><\/span> return<\/span> valid_chars \/<\/span> len(data) <\/span><\/span><\/code><\/pre>目标参数收集<\/h4> def<\/span> collect_target_params<\/span>(mw_module): <\/span><\/span> str_params =<\/span> [] <\/span><\/span> for<\/span> per_type in<\/span> mw_module.<\/span>GetTypes(): <\/span><\/span> for<\/span> per_method in<\/span> per_type.<\/span>Methods: <\/span><\/span> # 筛选公开方法且返回值为String<\/span> <\/span><\/span> if<\/span> per_method.<\/span>IsPublic and<\/span> str(per_method.<\/span>ReturnType) ==<\/span> "System.String"<\/span>: <\/span><\/span> # 提取偏移量和长度参数...<\/span> <\/span><\/span> return<\/span> str_params <\/span><\/span><\/code><\/pre>5.2 完整处理流程<\/h3> 初始化阶段<\/strong>：加载PE文件，建立dnlib模块对象<\/li> 密钥识别阶段<\/strong>：遍历IL指令，识别XOR解密密钥<\/li> 数组定位阶段<\/strong>：找到加密字符串数组<\/li> 参数提取阶段<\/strong>：收集所有字符串访问参数(offset, size)<\/li> 解密执行阶段<\/strong>：应用解密算法，输出可读字符串<\/li> <\/ol> 5.3 异常处理机制<\/h3> 数组越界检查<\/li> 指令解析错误处理<\/li> 解密结果验证机制<\/li> 编码异常处理<\/li> <\/ul> 6. 技术难点与解决方案<\/h2> 6.1 关键挑战<\/h3> 多态性指令处理<\/strong>：ldc.i4指令有多种变体格式<\/li> 代码混淆对抗<\/strong>：Obfuscar保护器的反分析技术<\/li> 动态加载检测<\/strong>：样本可能包含反调试和动态分析检测<\/li> <\/ol> 6.2 解决方案<\/h3> 指令模式识别<\/strong>：基于操作码名称而非数值进行匹配<\/li> 启发式分析<\/strong>：通过ASCII比例验证解密正确性<\/li> 静态分析优先<\/strong>：避免触发样本的反分析机制<\/li> <\/ol> 7. 实际应用效果<\/h2> 通过该自动化方案能够：<\/p> 成功提取AgentTesla的所有加密字符串<\/li> 准确识别Obfuscar的保护机制<\/li> 实现批量样本的自动化分析<\/li> 输出结构化的解密结果<\/li> <\/ul> 8. 参考资源<\/h2> dnlib官方仓库：https:\/\/github.com\/0xd4d\/dnlib<\/li> Obfuscar源代码：https:\/\/github.com\/obfuscar\/obfuscar<\/li> dnlib使用示例：https:\/\/github.com\/extremecoders-re\/dnlib-demo<\/li> .NET元数据处理：https:\/\/github.com\/bartblaze\/DotNet-MetaData<\/li> <\/ol> 9. 总结<\/h2> 本教学文档详细介绍了使用dnlib自动化提取AgentTesla字符串的完整技术方案，涵盖了从基础理论到工程实践的各个方面。通过系统化的分析方法和技术实现，能够有效对抗Obfuscar等保护器的混淆技术，为.NET恶意软件分析提供了实用的自动化解决方案。<\/p>