生活_傻大方

  1. 首页 > 人文 > >

安界|自动重构Meterpreter绕过杀软·续( 五 )


为了测试一切是否如预期运行 , 我们使用以下测试文件:#include
intmain(intargc,char**argv){MessageBoxA(NULL,"Test","Something",MB_OK);MessageBoxA(NULL,"Anothertest","Anothersomething",MB_OK);return0;}
运行混淆器:./CMakeBuild/avcleaner.bintest/messagebox_simple.c--strings=true--api=true---D_WIN64-D_UNICODE-DUNICODE-D_WINSOCK_DEPRECATED_NO_WARNINGS-I/usr/local/Cellar/llvm/9.0.1-I/Users/vladimir/dev/scrt/avcleaner/Include/msvc-14.15.26726-include-I/Users/vladimir/dev/scrt/avcleaner/Include/10.0.17134.0/ucrt-I/Users/vladimir/dev/scrt/avcleaner/Include/10.0.17134.0/shared-I/Users/vladimir/dev/scrt/avcleaner/Include/10.0.17134.0/um-I/Users/vladimir/dev/scrt/avcleaner/Include/10.0.17134.0/winrt-w-fdebug-compilation-dir-fno-use-cxa-atexit-fms-extensions-fms-compatibility-fms-compatibility-version=19.15.26726-std=c++14-fdelayed-template-parsing-fobjc-runtime=gcc-fcxx-exceptions-fexceptions-fdiagnostics-show-option-fcolor-diagnostics-xc++-ferror-limit=1900-targetx86_64-pc-windows-msvc19.15.26726-fsyntax-only-disable-free-disable-llvm-verifier-discard-value-names-dwarf-column-info-debugger-tuning=gdb-momit-leaf-frame-pointer-v
检查结果:#include
intmain(intargc,char**argv){constcharhid_Someth_lNGj92poubUG[]={'x53','x6f','x6d','x65','x74','x68','x69','x6e','x67',0};constcharhid_Anothe_UP7KUo4Sa8LC[]={'x41','x6e','x6f','x74','x68','x65','x72','x20','x74','x65','x73','x74',0};constcharhid_Anothe_ACsNhmIcS1tA[]={'x41','x6e','x6f','x74','x68','x65','x72','x20','x73','x6f','x6d','x65','x74','x68','x69','x6e','x67',0};typedefint(*_MessageBoxA)(HWNDhWnd,LPCTSTRlpText,LPCTSTRlpCaption,UINTuType);TCHARhid_User___Bhk5rL2239Kc[]={'x55','x73','x65','x72','x33','x32','x2e','x64','x6c','x6c',0};HANDLEhid_hHandl_PFP2JD4HjR8w=LoadLibrary(hid_User___Bhk5rL2239Kc);TCHARhid_Messag_drqxgJLSrxfT[]={'x4d','x65','x73','x73','x61','x67','x65','x42','x6f','x78','x41',0};_MessageBoxAhid_Messag_1W70P1kc8OJv=(_MessageBoxA)GetProcAddress(hid_hHandl_PFP2JD4HjR8w,hid_Messag_drqxgJLSrxfT);TCHARhid_User___EMmJBb201EuJ[]={'x55','x73','x65','x72','x33','x32','x2e','x64','x6c','x6c',0};HANDLEhid_hHandl_vU1riOrVWM8g=LoadLibrary(hid_User___EMmJBb201EuJ);TCHARhid_Messag_GoaJMFscXsdw[]={'x4d','x65','x73','x73','x61','x67','x65','x42','x6f','x78','x41',0};_MessageBoxAhid_Messag_6nzSLR0dttUn=(_MessageBoxA)GetProcAddress(hid_hHandl_vU1riOrVWM8g,hid_Messag_GoaJMFscXsdw);hid_Messag_1W70P1kc8OJv(NULL,"Test",hid_Someth_lNGj92poubUG,MB_OK);hid_Messag_6nzSLR0dttUn(NULL,hid_Anothe_UP7KUo4Sa8LC,hid_Anothe_ACsNhmIcS1tA,MB_OK);return0;}
可以看到 , 字符串混淆和API混淆的组合非常强大 。 字符串“Test”被忽略了 , 因为我们预先决定忽略小字符串 。 然后 , 可以编译混淆后的源代码:$cptest/messagebox_simple.c.patch/tmp/test.c$x86_64-w64-mingw32-gcc/tmp/test.c-o/tmp/toto.exe
在Windows10虚拟机上进行的测试表明 , 程序原本的功能可以正常执行 。 然后通过搜索 , 我们发现混淆后的二进制文件中没有MessageBox字符串:$rabin2-zz/tmp/toto.exe|grepMessageBox|wc-l0概述
在绕过杀软ESETNod32的过程中 , 我们发现隐藏与samlib.dll相关的API导入非常重要 , 尤其是下面列表中的API:SamConnectSamConnectWithCredsSamEnumerateDomainsInSamServerSamLookupDomainInSamServerSamOpenDomainSamOpenUserSamOpenGroupSamOpenAliasSamQueryInformationUserSamSetInformationUserSamiChangePasswordUserSamGetGroupsForUserSamGetAliasMembershipSamGetMembersInGroupSamGetMembersInAliasSamEnumerateUsersInDomainSamEnumerateGroupsInDomainSamEnumerateAliasesInDomainSamLookupNamesInDomainSamLookupIdsInDomainSamRidToSidSamCloseHandleSamFreeMemory



上一篇:科技每日观注|中端机中的战斗机你选哪个?,盘点性价比高的机型

下一篇:产业气象站|这样的用户届时将无法转账,倒计时已开启,微信新规将在8月1日落实