众亦信安,中意你啊!
点不了吃亏,点不了上当,设置星标,方能无恙!
https://www.ddosi.org/cobalt-strike-4-9-1/
cobaltsrike破解有很多方法,一般都是通过key来进行破解,利用key破解思路比较清晰,不过后续还得对暗桩进行一个一个的去除。
这里我采用的是agent方法:
创建Transformer函数,函数的作用就是利用线程加载资源,在不影响jar包的情况下替换资源
package main;import java.io.IOException;import java.io.InputStream;import java.lang.instrument.ClassFileTransformer;import java.lang.instrument.IllegalClassFormatException;import java.security.ProtectionDomain;public class Transformer implements ClassFileTransformer {public static byte[]loadClassBytes(String resourceName){// 使用当前线程的类加载器来加载资源try (InputStream inputStream =Transformer.class.getClassLoader().getResourceAsStream(resourceName)){if (inputStream == null){System.out.println("Resource not found: " + resourceName);return null;}returninputStream.readAllBytes();}catch (IOException e){e.printStackTrace();return null;}}public byte[] transform(ClassLoaderloader, String className, Class < ? > classBeingRedefined,ProtectionDomain protectionDomain, byte[] classfileBuffer) throwsIllegalClassFormatException {try {if(className.equals("sun/management/VMManagementImpl")) {classfileBuffer =loadClassBytes("resources/VMManagementImpl");}} catch (Throwable e) {throw newRuntimeException(e);}try {if(className.equals("aggressor/browsers/Targets")) {classfileBuffer =loadClassBytes("resources/Targets");}} catch (Throwable e) {throw newRuntimeException(e);}try {if(className.equals("aggressor/browsers/Sessions")) {classfileBuffer =loadClassBytes("resources/Sessions");}} catch (Throwable e) {throw newRuntimeException(e);}try {if(className.equals("aggressor/Prefs")) {classfileBuffer =loadClassBytes("resources/Prefs");}} catch (Throwable e) {throw newRuntimeException(e);}try {if (className.equals("aggressor/windows/ListenerManager")){classfileBuffer =loadClassBytes("resources/ListenerManager");}} catch (Throwable e) {throw newRuntimeException(e);}try {if(className.equals("common/BeaconEntry")) {classfileBuffer =loadClassBytes("resources/BeaconEntry");}} catch (Throwable e) {throw newRuntimeException(e);}try {if (className.equals("beacon/BeaconPayload")){classfileBuffer =loadClassBytes("resources/BeaconPayload");}} catch (Throwable e) {throw newRuntimeException(e);}try {if(className.equals("aggressor/Aggressor")) {classfileBuffer =loadClassBytes("resources/Aggressor");}} catch (Throwable e) {throw newRuntimeException(e);}try {if(className.equals("common/Authorization")) {classfileBuffer =loadClassBytes("resources/Authorization");}} catch (Throwable e) {throw newRuntimeException(e);}return classfileBuffer;}}
利用mian函数调用
package main;import java.lang.instrument.Instrumentation;public class CSCracker {public static void premain(StringagentArgs, Instrumentation inst) {inst.addTransformer(newTransformer());}}
之后创建resources文件,在文件中添加你所要替换的类,之后生成jar包
运行方法:jdk11+
java.exe -javaagent:hook.jar -jar cobaltstrike-client.jar
Server端:
server端不做太多描述,这里直接贴脚本
from argparse import ArgumentParser, FileTypeimport base64import hashlibimport reauthkey_b64 ="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkgtvDimGFGRAs2rwqZ7EOnLJknr4LNtQwZ1n8PiXEegmnP//rdXal4VenANymQXZ1F6Ln3+98oFTWNQrxpDrau3NR5lMoELx41SxA46p/+ljNBqQ8+HMkxDlueImMbNgizI4uT9XV+UPB0mhv31v1FT+dMMKS/UKKhz/r9yoEgwmXTIfTGLUS6+GTfyvrjotN3xsJlx3aHtO1yL3bz0h4Jxz8v6DanuqBkz2K0T1r++ECqNopH0vtvWihLrmkDYm0ST+/NXLhd5djyYQuaEc9nYrip/iefs9BVFGBuKMUmSoT9+1bHp4GXWhloEq/5+w+UlYLI0pNNqVJVEgAtdiRwIDAQAB"def CalcMD5(data: bytes):md5 = hashlib.md5()md5.update(data)return md5.hexdigest()def ReplaceData(data, original_data, replacement_data):pos = data.find(original_data)while pos != -1:for i inrange(len(replacement_data)):data[pos+i] =replacement_data[i]pos = data.find(original_data)return datadef Crack(dst):with open('./TeamServerImage',"rb") as f1, open("./TeamServerImageCrack","wb")as f2:dataDst = dst.read()md5Dst = CalcMD5(dataDst)data = bytearray(f1.read())ReplaceData(data,b"x90x48x8Bx7Cx24x20xBEx00x00x00x00xBAx00x01x00x00xE8x19x88x52x00x90x48x8Bx7Cx24x30x48x8BxF0xE8x7BxF6xFFxFF",b"x90x48x8Bx7Cx24x20xBEx00x00x00x00xBAx00x01x00x00xE8x19x88x52x00x90x48x8Bx7Cx24x30x48x8BxF0x90x90x90x90x90")ReplaceData(data,b"x48x8BxF8xBEx00x01x00x00xBAx00x02x00x00xE8x84x68x52x00x90x48x8Bx7Cx24x38x48x8BxF0xE8x36x1Dx00x00",b"x48x8BxF8xBEx00x01x00x00xBAx00x02x00x00xE8x84x68x52x00x90x48x8Bx7Cx24x38x48x8BxF0x90x90x90x90x90")f2.write(data)print("Crack TeamServerImagesuccess.")def parseArgs():parser = ArgumentParser(prog='crack.py',description='Crack TeamServerImage')parser.add_argument('-s', '--src',help=u'origin authkey.pub file',type=FileType('rb'), required=False)parser.add_argument('-d', '--dst',help=u'crack authkey.pub file',type=FileType('rb'), required=True)parser.add_argument('-t', '--target',help=u'crack TeamServerImage file',type=FileType('rb'), required=True)return parser.parse_args()def main():args = parseArgs()Crack(args.dst)if __name__ == "__main__":main()
httpstager
这里直接参考:
https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/
相应的还有一些sgn等工具,这些都不过是对静态特征进行处理
YARA-f0b627fc
这个也是那个shellcode
参考以下脚本
package main;
import java.io.IOException;
import java.io.InputStream;
import java.lang.instrument.ClassFileTransformer;
import java.lang.instrument.IllegalClassFormatException;
import java.security.ProtectionDomain;
public class Transformer implements ClassFileTransformer {
public static byte[]
loadClassBytes(String resourceName){
// 使用当前线程的类加载器来加载资源
try (InputStream inputStream =
Transformer.class.getClassLoader().getResourceAsStream(resourceName)){
if (inputStream == null){
System.out.println("Resource not found: " + resourceName);
return null;
}
return
inputStream.readAllBytes();
}catch (IOException e){
e.printStackTrace();
return null;
}
}
@Override
public byte[] transform(ClassLoader
loader, String className, Class < ? > classBeingRedefined,
ProtectionDomain protectionDomain, byte[] classfileBuffer) throws
IllegalClassFormatException {
try {
if
(className.equals("sun/management/VMManagementImpl")) {
classfileBuffer =
loadClassBytes("resources/VMManagementImpl");
}
} catch (Throwable e) {
throw new
RuntimeException(e);
}
try {
if
(className.equals("aggressor/browsers/Targets")) {
classfileBuffer =
loadClassBytes("resources/Targets");
}
} catch (Throwable e) {
throw new
RuntimeException(e);
}
try {
if
(className.equals("aggressor/browsers/Sessions")) {
classfileBuffer =
loadClassBytes("resources/Sessions");
}
} catch (Throwable e) {
throw new
RuntimeException(e);
}
try {
if
(className.equals("aggressor/Prefs")) {
classfileBuffer =
loadClassBytes("resources/Prefs");
}
} catch (Throwable e) {
throw new
RuntimeException(e);
}
try {
if (className.equals("aggressor/windows/ListenerManager"))
{
classfileBuffer =
loadClassBytes("resources/ListenerManager");
}
} catch (Throwable e) {
throw new
RuntimeException(e);
}
try {
if
(className.equals("common/BeaconEntry")) {
classfileBuffer =
loadClassBytes("resources/BeaconEntry");
}
} catch (Throwable e) {
throw new
RuntimeException(e);
}
try {
if (className.equals("beacon/BeaconPayload"))
{
classfileBuffer =
loadClassBytes("resources/BeaconPayload");
}
} catch (Throwable e) {
throw new
RuntimeException(e);
}
try {
if
(className.equals("aggressor/Aggressor")) {
classfileBuffer =
loadClassBytes("resources/Aggressor");
}
} catch (Throwable e) {
throw new
RuntimeException(e);
}
try {
if
(className.equals("common/Authorization")) {
classfileBuffer =
loadClassBytes("resources/Authorization");
}
} catch (Throwable e) {
throw new
RuntimeException(e);
}
return classfileBuffer;
}
}
其他新增
ip归属地
导入qqwry的代码
src/aggressor/browsers/Sessions.java
新增address字段
src/common/BeaconEntry.java
package main;
import java.lang.instrument.Instrumentation;
public class CSCracker {
public static void premain(String
agentArgs, Instrumentation inst) {
inst.addTransformer(new
Transformer());
}
}
原文始发于微信公众号(众亦信安):cobaltsrike破解到yara特征消除
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论