技术编程|自动重构Meterpreter绕过杀软·续( 五 )
为了测试一切是否如预期运行 , 我们使用以下测试文件:#include
int main(int argc, char** argv) {MessageBoxA(NULL, "Test", "Something", MB_OK);MessageBoxA(NULL, "Another test", "Another something", MB_OK);return 0;}
运行混淆器:./CMakeBuild/avcleaner.bin test/messagebox_simple.c --strings=true --api=true -- -D _WIN64 -D _UNICODE -D UNICODE -D _WINSOCK_DEPRECATED_NO_WARNINGS\ -I /usr/local/Cellar/llvm/9.0.1\ -I /Users/vladimir/dev/scrt/avcleaner/Include/msvc-14.15.26726-include\ -I /Users/vladimir/dev/scrt/avcleaner/Include/10.0.17134.0/ucrt\ -I /Users/vladimir/dev/scrt/avcleaner/Include/10.0.17134.0/shared\ -I /Users/vladimir/dev/scrt/avcleaner/Include/10.0.17134.0/um\ -I /Users/vladimir/dev/scrt/avcleaner/Include/10.0.17134.0/winrt -w -fdebug-compilation-dir -fno-use-cxa-atexit -fms-extensions -fms-compatibility -fms-compatibility-version=19.15.26726 -std=c++14 -fdelayed-template-parsing -fobjc-runtime=gcc -fcxx-exceptions -fexceptions -fdiagnostics-show-option -fcolor-diagnostics -x c++ -ferror-limit=1900 -target x86_64-pc-windows-msvc19.15.26726 -fsyntax-only -disable-free -disable-llvm-verifier -discard-value-names -dwarf-column-info -debugger-tuning=gdb -momit-leaf-frame-pointer -v
检查结果:#include
int main(int argc, char** argv) {const charhid_Someth_lNGj92poubUG[] = {'\x53','\x6f','\x6d','\x65','\x74','\x68','\x69','\x6e','\x67',0};const charhid_Anothe_UP7KUo4Sa8LC[] = {'\x41','\x6e','\x6f','\x74','\x68','\x65','\x72','\x20','\x74','\x65','\x73','\x74',0};const charhid_Anothe_ACsNhmIcS1tA[] = {'\x41','\x6e','\x6f','\x74','\x68','\x65','\x72','\x20','\x73','\x6f','\x6d','\x65','\x74','\x68','\x69','\x6e','\x67',0};typedef int (*_MessageBoxA)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);TCHAR hid_User___Bhk5rL2239Kc[] = {'\x55','\x73','\x65','\x72','\x33','\x32','\x2e','\x64','\x6c','\x6c',0};HANDLE hid_hHandl_PFP2JD4HjR8w = LoadLibrary(hid_User___Bhk5rL2239Kc);TCHAR hid_Messag_drqxgJLSrxfT[] = {'\x4d','\x65','\x73','\x73','\x61','\x67','\x65','\x42','\x6f','\x78','\x41',0};_MessageBoxA hid_Messag_1W70P1kc8OJv = (_MessageBoxA) GetProcAddress(hid_hHandl_PFP2JD4HjR8w, hid_Messag_drqxgJLSrxfT);TCHAR hid_User___EMmJBb201EuJ[] = {'\x55','\x73','\x65','\x72','\x33','\x32','\x2e','\x64','\x6c','\x6c',0};HANDLE hid_hHandl_vU1riOrVWM8g = LoadLibrary(hid_User___EMmJBb201EuJ);TCHAR hid_Messag_GoaJMFscXsdw[] = {'\x4d','\x65','\x73','\x73','\x61','\x67','\x65','\x42','\x6f','\x78','\x41',0};_MessageBoxA hid_Messag_6nzSLR0dttUn = (_MessageBoxA) GetProcAddress(hid_hHandl_vU1riOrVWM8g, hid_Messag_GoaJMFscXsdw);hid_Messag_1W70P1kc8OJv(NULL, "Test", hid_Someth_lNGj92poubUG, MB_OK);hid_Messag_6nzSLR0dttUn(NULL, hid_Anothe_UP7KUo4Sa8LC, hid_Anothe_ACsNhmIcS1tA, MB_OK);return 0;}
可以看到 , 字符串混淆和API混淆的组合非常强大 。 字符串“Test”被忽略了 , 因为我们预先决定忽略小字符串 。 然后 , 可以编译混淆后的源代码:$ cp test/messagebox_simple.c.patch /tmp/test.c$ x86_64-w64-mingw32-gcc /tmp/test.c -o /tmp/toto.exe
在Windows 10虚拟机上进行的测试表明 , 程序原本的功能可以正常执行 。然后通过搜索 , 我们发现混淆后的二进制文件中没有MessageBox字符串:$ rabin2 -zz /tmp/toto.exe | grep MessageBox | wc -l0概述
推荐阅读
- 摄像头|小米截胡中兴屏下摄像头技术,小米研发还是供应链技术?
- AI人工智能|原创 智能门锁改造计划,德施曼小嘀全自动电子猫眼锁Q3M上线小米有品
- 马斯克|马斯克用活猪演示脑机接口技术:实时读取猪脑信息 心灵感应成真了
- 人工智能|济南将打造全球首个人工智能医药研发自动化实验室
- 三防|带你了解三防手持终端的秘密
- 第三|原创 小米发布第三代屏下相机技术,或将在Mix 4上首秀?
- 海信|首个新兴显示技术分标委成立 海信牵头制定国标
- 中年|Python编程语言有什么独特的优势呢?
- |马斯克用活猪演示脑机技术,他希望今年年底前能在人体内植入
- 智能家居|原创 智能门锁改造计划,德施曼小嘀全自动电子猫眼锁Q3M上线小米有品