安界|自动重构Meterpreter绕过杀软·续( 四 ) 前言

这是最琐碎的部分。目的是用随机标识符替换AST中的MessageBoxA 。此随机变量的初始化会在后续部分中完成。 boolApiMatchHandler::handleCallExpr(constCallExpr*CallExpression,clang::ASTContext*constpContext){//generatearandomvariablenamestd::stringReplacement=Utils::translateStringToIdentifier(_ApiName);//injectRun-timedynamiclinkingif(!addGetProcAddress(CallExpression,pContext,Replacement,_ApiName))returnfalse;//MessageBoxA->randomidentifiergeneratedabovereturnreplaceIdentifier(CallExpression,_ApiName,Replacement);}
ReplaceTextClangAP用于重命名函数标识符：boolApiMatchHandler::replaceIdentifier(constCallExpr*CallExpression,conststd::string&ApiName,conststd::string&NewIdentifier){returnthis->ASTRewriter->ReplaceText(CallExpression->getBeginLoc(),ApiName.length(),NewIdentifier);}插入LoadLibrary/GetProcAddress
为我们要添加的API注入运行时动态链接是一个多步骤过程：我们可以选择将API原型插入翻译单元的顶部或封闭函数中。为了更方便简单，我们选择后者，但是我们需要确保它没有被添加，以防在同一个函数中多次调用该API(如果后面调用相同的API ，就会发生这种情况) 。插入行HANDLE
LoadLibrary(
);插入对GetProcAddress的调用。
当然，为了避免在执行此操作时插入明显的敏感字符串，必须将每个字符串写为堆栈字符串的形式。这会使代码阅读起来有些冗杂，但并太复杂：boolApiMatchHandler::addGetProcAddress(constclang::CallExpr*pCallExpression,clang::ASTContext*constpContext,conststd::string&NewIdentifier,std::string&ApiName){SourceRangeEnclosingFunctionRange=findInjectionSpot(pContext,clang::ast_type_traits::DynTypedNode(),*pCallExpression,0);std::stringstreamResult;//addfunctionprototypeifnotalreadyaddedif(std::find(TypedefAdded.begin(),TypedefAdded.end(),pCallExpression->getDirectCallee())==TypedefAdded.end()){Result<<"t"<<_TypeDef<<"n";}//addLoadLibrarywithobfuscatedstringsstd::stringLoadLibraryVariable=Utils::translateStringToIdentifier(_Library);std::stringLoadLibraryString=Utils::generateVariableDeclaration(LoadLibraryVariable,_Library);std::stringLoadLibraryHandleIdentifier=Utils::translateStringToIdentifier("hHandle_"+_Library);Result<<"t"<<LoadLibraryString<<std::endl;Result<<"tHANDLE"<<LoadLibraryHandleIdentifier<<"=LoadLibrary("<<LoadLibraryVariable<<");n";//addGetProcAddresswithobfuscatedstring:TypeDefNewIdentifier=(TypeDef)GetProcAddress(handleIdentifier,ApiName)std::stringApiNameIdentifier=Utils::translateStringToIdentifier(ApiName);std::stringApiNameDecl=Utils::generateVariableDeclaration(ApiNameIdentifier,ApiName);Result<<"t"<<ApiNameDecl<<"n";Result<<"t_"<<ApiName<<""<<NewIdentifier<<"=(_"<<ApiName<<")GetProcAddress("<<LoadLibraryHandleIdentifier<<","<<ApiNameIdentifier<
getDirectCallee());//addeverythingatthebeginningofthefunction.return!(ASTRewriter->InsertText(EnclosingFunctionRange.getBegin(),Result.str()));}测试gitclonehttps://github.com/scrt/avcleanermkdiravcleaner/CMakeBuild&&cdavcleaner/CMakeBuildcmake..makecd..