文内许多代码为GPT协助生成,并不直接可用,目的为展示思路。
0x00 Reduce entropy
这在很多EDR/AV上都有效果,属于减熵的一些操作。
x64 calc shellcode:
x64 calc shellcode though AES:
x64 calc shellcode though RC4:
经过reduce entropy:
项目推荐:EntropyReducer、entropyfix
0x01 Convert Shellcode
-
单词映射
-
自实现一个映射表
-
key:value形式,例如:
参考如:马尔可夫链 (Markov chain)、map等
推荐项目:convertShellcode2Word、Pokemon-Shellcode-Loader
0x02 Add Resource
Visual Studio中添加资源,如version、icon等:
Resource Hacker:
给SECTION内添加一些“白数据”
// allows us to the fix the entropy of any section
#pragma code_seg(".text")
__declspec(allocate(".text")) char* e[] = {"---------------------------7d9114302a0cb6", "Vector Permutation AES for x86/SSSE3, Mike Hamburg (Stanford University)", "too many files open in system", "Resource temporarily unavailable" , "../../third_party/perfetto/src/protozero/scattered_heap_buffer.cc" , "../../base/trace_event/trace_log.cc" , "Histogram.MismatchedConstructionArguments" , "web_cache/Encoded_size_duplicated_in_data_urls" , "2DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA" , "Beijing Qihu Technology Co., Ltd.0" };
#pragma code_seg(".data")
__declspec(allocate(".data")) char* e2[] = { "GHASH for x86, CRYPTOGAMS by <[email protected]>", "inappropriate io control operation", "illegal byte sequence" , "no such file or directory", "Inappropriate I/O control operation", "Content-Disposition: form-data; name="", "disabled-by-default-java-heap-profiler" , "disabled-by-default-devtools.timeline.invalidationTracking" , "Unsupported (crbug.com/1225176)"" , "net/http_network_session_0x?/ssl_client_session_cache" , "net/url_request_context/isolated_media/0x?/cookie_monster/tasks_pending_global" , "Ihttp://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0" ,"Beijing Qihu Technology Co., Ltd.0"};
做的比较好的星球内也发过:
0x03 Normal behavior
在程序中添加无害功能可以使其看起来更像是正常程序,并使沙箱和反病毒软件更难以识别出恶意行为。
以下是一些示例,展示了如何在C++程序中添加一些无害功能:
-
读取和显示系统时间:
#include <iostream>
#include <ctime>
void display_system_time() {
std::time_t t = std::time(0);
std::tm* now = std::localtime(&t);
std::cout << "Current system time: " << now->tm_hour << ':' << now->tm_min << ':' << now->tm_sec << std::endl;
}
-
读取文件并显示内容:
#include <iostream>
#include <string>
#include <fstream>
void read_and_display_file(const std::string& filename) {
std::ifstream file(filename);
if (file.is_open()) {
std::string line;
while (std::getline(file, line)) {
std::cout << line << std::endl;
}
file.close();
} else {
std::cout << "Unable to open file: " << filename << std::endl;
}
}
-
调用正常的lib,添加开源lib到程序中,
-
使用SQLite数据库存储和检索数据:
在C++代码中使用以下示例创建一个SQLite数据库,创建表,插入数据并查询数据:
#include <iostream>
#include <sqlite3.h>
static int query_callback(void* not_used, int argc, char** argv, char** az_col_name) {
for (int i = 0; i < argc; i++) {
std::cout << az_col_name[i] << " = " << (argv[i] ? argv[i] : "NULL") << std::endl;
}
std::cout << std::endl;
return 0;
}
void sqlite_example() {
sqlite3* db;
char* error_message = nullptr;
if (sqlite3_open("example.db", &db)) {
std::cerr << "Can't open database: " << sqlite3_errmsg(db) << std::endl;
return;
}
const char* create_table_sql = "CREATE TABLE IF NOT EXISTS person ("
"id INTEGER PRIMARY KEY AUTOINCREMENT,"
"name TEXT NOT NULL,"
"age INTEGER NOT NULL);";
if (sqlite3_exec(db, create_table_sql, nullptr, nullptr, &error_message)) {
std::cerr << "Can't create table: " << error_message << std::endl;
sqlite3_free(error_message);
}
const char* insert_data_sql = "INSERT INTO person (name, age) VALUES ('Alice', 30);";
if (sqlite3_exec(db, insert_data_sql, nullptr, nullptr, &error_message)) {
std::cerr << "Can't insert data: " << error_message << std::endl;
sqlite3_free(error_message);
}
const char* query_data_sql = "SELECT * FROM person;";
if (sqlite3_exec(db, query_data_sql, query_callback, nullptr, &error_message)) {
std::cerr << "Can't query data: " << error_message << std::endl;
sqlite3_free(error_message);
}
sqlite3_close(db);
}
-
使用Boost库实现文件操作:
#include <iostream>
#include <boost/filesystem.hpp>
void boost_directory_listing(const std::string& directory_path) {
boost::filesystem::path dir(directory_path);
if (boost::filesystem::exists(dir) && boost::filesystem::is_directory(dir)) {
std::cout << "Listing files in directory: " << directory_path << std::endl;
for (const auto& entry : boost::filesystem::directory_iterator(dir)) {
std::cout << entry.path().string() << std::endl;
}
} else {
std::cerr << "Invalid directory: " << directory_path << std::endl;
}
}
-
增加一些正常的字符串
#include <string>
std::string url1 = "https://www.google.com/search?q=";
std::string url2 = "https://www.wikipedia.org/w/api.php?action=query&format=json&list=search&srsearch=";
std::string filePath1 = "C:/Users/username/Documents/file.txt";
std::string filePath2 = "/home/user/documents/file.txt";
std::string json1 = R"({"name":"John","age":30,"city":"New York"})";
std::string json2 = R"({"product":"Apple iPhone 13","price":999,"currency":"USD"})";
0x04 Program logic
GPT4 / Copilot
-
可以通过使用数据结构、算法和控制流程来实现这一个复杂的混淆代码逻辑。
anti sandbox...etc..
&
&
&
&
1. decrypy shellcode
&
&
&
2. run shellcode
#include <iostream>
#include <vector>
#include <algorithm>
#include <numeric>
#include <functional>
void targetFunction() {
std::cout << "Target function called!n";
}
int obfuscate(int value) {
const int secret = 42;
return (value ^ secret) + secret;
}
void obfuscatedLogic() {
std::vector<int> numbers = {1, 2, 3, 4, 5};
// Step 1: Transform the numbers using the obfuscate function.
std::transform(numbers.begin(), numbers.end(), numbers.begin(), obfuscate);
// Step 2: Calculate the sum of numbers.
int sum = std::accumulate(numbers.begin(), numbers.end(), 0);
// Step 3: Check if the sum is divisible by a magic number.
const int magicNumber = 13;
if (sum % magicNumber == 0) {
// Step 4: Call the target function using a function pointer.
void (*functionPtr)() = targetFunction;
functionPtr();
}
}
int main() {
obfuscatedLogic();
return 0;
}
-
可以利用C++中的高级特性,如模板、 constexpr、std::tuple等,来实现更复杂的混淆代码。
在这个示例中,我们引入了模板和constexpr来创建一个obfuscate函数,它接收一个整数值并返回一个包含多个混淆值的std::array。我们使用了编译时计算的secret_key来生成这些混淆值。
还实现了一个编译时元组包含检查的辅助函数contains,它接受一个元组和一个值,然后检查这个值是否在元组中。这个函数使用了折叠表达式和std::tuple。
在obfuscatedLogic中,我们调用obfuscate函数生成一个obfuscated_numbers数组,然后检查它是否包含特定的数字。如果包含,我们使用一个lambda表达式和std::function来调用目标函数。
#include <iostream>
#include <tuple>
#include <array>
#include <type_traits>
#include <functional>
// Target function
void targetFunction() {
std::cout << "Target function called!n";
}
// Helper metafunction to generate a sequence of integers
template <std::size_t... Is>
struct index_sequence {};
template <std::size_t N, std::size_t... Is>
struct make_index_sequence : make_index_sequence<N - 1, N - 1, Is...> {};
template <std::size_t... Is>
struct make_index_sequence<0, Is...> : index_sequence<Is...> {};
// Obfuscation function
template <typename T, T Value, std::size_t... Is>
constexpr auto obfuscate_impl(index_sequence<Is...>) {
constexpr T secret_key[] = {T(Is + 1)...};
constexpr std::size_t size = sizeof...(Is);
return std::array<T, size>{{(Value ^ secret_key[Is])...}};
}
template <typename T, T Value>
constexpr auto obfuscate() {
return obfuscate_impl<T, Value>(make_index_sequence<5>{});
}
// Helper metafunction to check if a tuple contains a certain value
template <typename Tuple, typename T, std::size_t... Is>
constexpr bool contains_impl(const Tuple& tuple, const T& value, index_sequence<Is...>) {
return ((std::get<Is>(tuple) == value) || ...);
}
template <typename Tuple, typename T>
constexpr bool contains(const Tuple& tuple, const T& value) {
constexpr std::size_t size = std::tuple_size<Tuple>::value;
return contains_impl(tuple, value, make_index_sequence<size>{});
}
// Obfuscated logic
void obfuscatedLogic() {
constexpr auto obfuscated_numbers = obfuscate<int, 42>();
// Check if obfuscated_numbers contains a certain number
if (contains(obfuscated_numbers, 64)) {
// Call the target function using a lambda expression and a std::function
std::function<void()> call_target = [] { targetFunction(); };
call_target();
}
}
int main() {
obfuscatedLogic();
return 0;
}
其他,做运算等
0x05 窗体程序
如基于界面QT、MFC来编写对应的代码
总的来说,尽量让程序像一个正常的程序。
快来和 700+ 人一起学习
原文始发于微信公众号(黑客在思考):数字环境QVM对抗思路总结
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论