Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. Malware Analysis
  2. Malware Analysis Methodologies

Analyzing ASPX Webshells

Overview of Webshells

  • Webshell: A web interface allowing remote access to a web server. It typically includes features for file management, program execution, and command execution on the server.

  • Webshells appear as a webpage and allow command execution via input boxes, but the underlying code is not visible when accessed through a browser.

Steps for Analysis

  1. Setting Up IIS for Analysis:

    • Enable IIS:

      • Go to Control Panel > Windows Features, or type "Windows Features" from the Start menu.

      • Check the Internet Information Services (IIS) box, expand it, and select the most recent version of ASP.NET.

    • Start IIS:

      • Open IIS Manager from the Start menu.

      • Right-click on the server name, select Start if needed.

      • Expand to Default Website, right-click, select Manage Website > Start.

      • Right-click on Default Web Site, select Explore to open the web server folder.

  2. Deploying and Accessing the Webshell:

    • Copy re_webshell.aspx into the IIS web server folder.

    • Open an internet browser and navigate to:

      arduinoCopy codehttp://localhost/re_webshell.aspx

    • The webshell allows command execution. For example:

      • /c dir c:\Users displays user profiles.

      • whoami displays the web server username.

  3. Analyzing Webshell Code:

    • Open re_webshell.aspx in Notepad++.

    • The code is split into HTML (for forms) and a script containing the execCmd function.

    • The execCmd function handles input commands using .NET classes such as Process, ProcessStartInfo, and StreamReader.

  4. Using Abyss Web Server as an Alternative:

    • Install Abyss Web Server:

      • Configure it to avoid conflicts with FakeNet.

      • Access configuration via system tray icon > Restore > Hosts > Default Host > Configure.

    • Deploy Webshell:

      • Copy re_webshell.aspx to the HTDocs folder in the Abyss installation directory.

      • Configure ASP.NET in Abyss Web Server.

    • Access Webshell:

      • Open an internet browser and navigate to:

        bashCopy codehttp://localhost:8000/aspfiles/re_webshell.aspx

  5. Debugging with Visual Studio:

    • Setup Visual Studio:

      • Create a new ASP.NET Web Application project.

      • Add re_webshell.aspx to the project.

    • Debugging:

      • Set a breakpoint in the execCmd function.

      • Run the application and interact with the webshell to hit the breakpoint.

      • Monitor variable values and step through the code in Visual Studio.

Summary

  • Webshells: Allow remote command execution via a web interface.

  • Tools: IIS, Abyss Web Server, Visual Studio.

  • Key Steps: Set up the web server, deploy the webshell, analyze code, and debug if necessary.

This process helps in understanding and analyzing ASPX webshells to uncover their functionalities and potential impacts on the server.

PreviousAnalyzing an ELF FileNextAnalyzing JAR Files

Last updated 9 months ago