Using Direct Syscalls in Cobalt Strike's Artifact Kit

  • A+
所属分类:安全闲碎

前言

把Syscall武器化,加到CSKit中,短期实现快速免杀.

基本过了赛门和WD我其他就不管了.


Start

gcl https://github.com/outflanknl/InlineWhispers
  • 定义function.txt

NtCreateThreadEx
NtProtectVirtualMemory
NtAllocateVirtualMemory


  • 生成函数

 python InlineWhispers.py
________ __ _____.__ __
_____ __ ___/ |__/ ____ | _____ ____ | | __
/ | | | __ __| | __ / | |/ /
/ | | /| | | | | |__/ __ | | <
_______ /____/ |__| |__| |____(____ /___| /__|_
/ / / /
InlineWhispers
By @_DaWouw @Outflank 2020
[i] in syscalls.asm
[i] out syscalls-asm.h
[i] Function filter file "functions.txt" contains 3 functions.
[+] Success!

生成syscall的头文件后,放在kit下

Using Direct Syscalls in Cobalt Strike's Artifact Kit


接下来就是替换下这些函数就行

照着这篇文章里面的方法来写我们的加载器

https://br-sn.github.io/Implementing-Syscalls-In-The-CobaltStrike-Artifact-Kit/

Using Direct Syscalls in Cobalt Strike's Artifact Kit

附件我待会上传到星球

build.sh有个地方要注意


Using Direct Syscalls in Cobalt Strike's Artifact Kit

编译

Using Direct Syscalls in Cobalt Strike's Artifact Kit


加载

Using Direct Syscalls in Cobalt Strike's Artifact Kit


syscall只支持64位

Using Direct Syscalls in Cobalt Strike's Artifact Kit


测试

Using Direct Syscalls in Cobalt Strike's Artifact Kit


装有赛门+360

Using Direct Syscalls in Cobalt Strike's Artifact Kit



Using Direct Syscalls in Cobalt Strike's Artifact Kit


Using Direct Syscalls in Cobalt Strike's Artifact Kit

碎碎念


Kit的好处就是他是一个最方便的Loader.可以加一些过沙盒的函数进去.

缺点就是特征要自己经常换才行,特征明显.



Using Direct Syscalls in Cobalt Strike's Artifact Kit


广告区:


Using Direct Syscalls in Cobalt Strike's Artifact Kit



好好学习,天天向上!

好好学习,天天向上!

好好学习,天天向上!

好好学习,天天向上!

好好学习,天天向上!

好好学习,天天向上!

好好学习,天天向上!

好好学习,天天向上!

好好学习,天天向上!

好好学习,天天向上!

好好学习,天天向上!

凑够300字,真的不会写作.

本文始发于微信公众号(RedTeaming):Using Direct Syscalls in Cobalt Strike's Artifact Kit

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: