BRC4 Debugging features 实现

admin 2021年9月24日08:00:00评论248 views字数 2401阅读8分0秒阅读模式

最近BRC4更新到了0.6版本,其中添加了Debugging features

功能,功能包括list_modules列出当前进程或其他进程加载的模块 、list_exports查看某模块的导出函数 、Memory hunting查看内存中的RWX区域(这也是一种shellcode的加载方式)


本来作者的意思是用此类方法来进行EDR/AV的检测,但总感觉多此一举了,这里给出各个功能的实现代码,有兴趣的xd可以看看。


list_modules


这个实现比较简单,C#的ProcessModule中有相关内容


  if (args.Length != 0) {                var pid = Convert.ToInt32(args[0]);                Process targetProcess = Process.GetProcessById(pid);                ProcessModule myProcessModule;                ProcessModuleCollection myProcessModuleCollection = targetProcess.Modules;

for (int i = 0; i < myProcessModuleCollection.Count; i++) { myProcessModule = myProcessModuleCollection[i]; //Console.WriteLine("The moduleName is " + myProcessModule.ModuleName); Console.WriteLine(" - " + myProcessModule.BaseAddress + " | " + myProcessModule.FileName); //Console.WriteLine("The " + myProcessModule.ModuleName + "'s base address is: " + myProcessModule.BaseAddress); //Console.WriteLine("For " + myProcessModule.ModuleName + " Entry point address is: " + myProcessModule.EntryPointAddress); } } else {
Process process = Process.GetCurrentProcess(); ProcessModule myProcessModule; ProcessModuleCollection myProcessModuleCollection = process.Modules;

for (int i = 0; i < myProcessModuleCollection.Count; i++) { myProcessModule = myProcessModuleCollection[i]; //Console.WriteLine("The moduleName is " + myProcessModule.ModuleName); Console.WriteLine(" - " + myProcessModule.BaseAddress + " | " + myProcessModule.FileName); //Console.WriteLine("The " + myProcessModule.ModuleName + "'s base address is: " + myProcessModule.BaseAddress); //Console.WriteLine("For " + myProcessModule.ModuleName + " Entry point address is: " + myProcessModule.EntryPointAddress); } }



list_exports


这个可以使用SymLoadModuleEx、SymEnumerateSymbols64加回调函数可以解决


 baseOfDll = SymLoadModuleEx(hCurrentProcess,                                        IntPtr.Zero,                                        "c:windowssystem32user32.dll",                                        null,                                        0,                                        0,                                        IntPtr.Zero,                                        0);
if (baseOfDll == 0) { Console.Out.WriteLine("Failed to load module."); SymCleanup(hCurrentProcess); return; }
if (SymEnumerateSymbols64(hCurrentProcess, baseOfDll, EnumSyms, IntPtr.Zero) == false) { Console.Out.WriteLine("Failed to enum symbols."); }



Memory hunting


VirtualQueryEx查就行了


while (VirtualQueryEx(process, offset, &mbi, sizeof(mbi)))      {        offset = (LPVOID)((DWORD_PTR)mbi.BaseAddress + mbi.RegionSize);        if (mbi.AllocationProtect == PAGE_EXECUTE_READWRITE && mbi.State == MEM_COMMIT && mbi.Type == MEM_PRIVATE)        {          std::cout << "tRWX: 0x" << std::hex << mbi.BaseAddress << "n";        }      }







     ▼
更多精彩推荐,请关注我们


请严格遵守网络安全法相关条例!此分享主要用于学习,切勿走上违法犯罪的不归路,一切后果自付!




相关推荐: Sodinokibi勒索病毒分析

IOC 病毒名称:Sodinokibi勒索病毒 样本名称:CDHFUN.exe MD5: ea4cae3d6d8150215a4d90593a4c30f2 SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e SHA25…

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年9月24日08:00:00
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   BRC4 Debugging features 实现http://cn-sec.com/archives/555134.html

发表评论

匿名网友 填写信息