编程技术-新人第一篇 (一个通用的简单反远控技术)
推荐 原创序言:首先,我不能保证全部拦住,只能保证拦住简单的那种,没经过特殊处理的
我们都知道,远程控制木马病毒,一直是杀毒软件困扰的
但是我们通过观察他们的表面特征,都能发现几个共同点
1.没有窗口
2.一般来说没有签名
3.Mutex互斥体(防止重复上线)
4.联网
特征显而易见
但是有些远控不加Mutex 所以我们不判断这个
那么剩下的就是 没有窗口 没有签名 和联网了
有些木马是有签名的,我们暂时不提
|
1
2
3
4
5
6
7
8
9
10
11
12
|
#include <iostream>
#include <windows.h>
#include <softpub.h>
#include <wintrust.h>
#include <tchar.h>
#include <psapi.h>
#include <tlhelp32.h>
#include <Iphlpapi.h>
#include <vector>
#pragma comment (lib, "wintrust")
#pragma comment(lib, "Iphlpapi.lib")
using namespace std;
|
我们要用到的头文件和namespace这些
好,我们可以开始编写主体部分了
1.判断是否有窗口,代码如下
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
bool
DoesProcessHaveWindow(DWORD processId) {
HWND hwnd
=
FindWindow(nullptr, nullptr);
while
(hwnd) {
DWORD windowProcessId;
GetWindowThreadProcessId(hwnd, &windowProcessId);
if
(windowProcessId
=
=
processId) {
return
true;
}
hwnd
=
GetWindow(hwnd, GW_HWNDNEXT);
}
return
false;
}
int
Is_Has_Window(DWORD targetProcessId) {
if
(DoesProcessHaveWindow(targetProcessId)) {
std::cout <<
"The specified process has a window."
<< std::endl;
return
1
;
}
else
{
std::cout <<
"The specified process does not have a window."
<< std::endl;
return
0
;
}
}
|
Is_Has_Window(进程PID) 如果返回1 就有窗口 如果返回0 就没窗口
2.判断签名是否合法
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
int
VerifyEmbeddedSignature(LPCWSTR pwszSourceFile)
{
LONG
lStatus;
DWORD dwLastError;
/
/
Initialize the WINTRUST_FILE_INFO structure.
/
/
待验证文件的完整路径
WINTRUST_FILE_INFO FileData;
memset(&FileData,
0
, sizeof(FileData));
FileData.cbStruct
=
sizeof(WINTRUST_FILE_INFO);
FileData.pcwszFilePath
=
pwszSourceFile;
FileData.hFile
=
NULL;
FileData.pgKnownSubject
=
NULL;
/
*
WVTPolicyGUID specifies the policy to
apply
on the
file
WINTRUST_ACTION_GENERIC_VERIFY_V2 policy checks:
1
) The certificate used to sign the
file
chains up to a root
certificate located
in
the trusted root certificate store. This
implies that the identity of the publisher has been verified by
a certification authority.
2
) In cases where user interface
is
displayed (which this example
does
not
do), WinVerifyTrust will check
for
whether the
end entity certificate
is
stored
in
the trusted publisher store,
implying that the user trusts content
from
this publisher.
3
) The end entity certificate has sufficient permission to sign
code, as indicated by the presence of a code signing EKU
or
no
EKU.
*
/
GUID WVTPolicyGUID
=
WINTRUST_ACTION_GENERIC_VERIFY_V2;
WINTRUST_DATA WinTrustData;
/
/
Initialize the WinVerifyTrust
input
data structure.
/
/
Default
all
fields to
0.
memset(&WinTrustData,
0
, sizeof(WinTrustData));
WinTrustData.cbStruct
=
sizeof(WinTrustData);
/
/
Use default code signing EKU.
WinTrustData.pPolicyCallbackData
=
NULL;
/
/
No data to
pass
to SIP.
WinTrustData.pSIPClientData
=
NULL;
/
/
Disable WVT UI.
WinTrustData.dwUIChoice
=
WTD_UI_NONE;
/
/
No revocation checking.
WinTrustData.fdwRevocationChecks
=
WTD_REVOKE_NONE;
/
/
采用文件方式验证, 其他还有内存等
/
/
Verify an embedded signature on a
file
.
WinTrustData.dwUnionChoice
=
WTD_CHOICE_FILE;
/
/
Verify action.
WinTrustData.dwStateAction
=
WTD_STATEACTION_VERIFY;
/
/
Verification sets this value.
WinTrustData.hWVTStateData
=
NULL;
/
/
Not used.
WinTrustData.pwszURLReference
=
NULL;
/
/
This
is
not
applicable
if
there
is
no UI because it changes
/
/
the UI to accommodate running applications instead of
/
/
installing applications.
WinTrustData.dwUIContext
=
0
;
/
/
Set
pFile.
WinTrustData.pFile
=
&FileData;
/
/
当前操作是要验证签名,后面还需要调用一次关闭去释放从此次验证操作中得到的放在trustData中的数据
/
/
PS: 微软为啥老喜欢同一个接口换个flag就变成完全不同的功能,感觉用个FreeWinVerifyTrustedData之类的不好嘛。。(微软:你在教我做事?)
-
_
-
/
/
WinVerifyTrust verifies signatures as specified by the GUID
/
/
and
Wintrust_Data.
lStatus
=
WinVerifyTrust(
NULL,
&WVTPolicyGUID,
&WinTrustData);
switch (lStatus)
{
case ERROR_SUCCESS:
/
*
Signed
file
:
-
Hash
that represents the subject
is
trusted.
-
Trusted publisher without
any
verification errors.
-
UI was disabled
in
dwUIChoice. No publisher
or
time stamp chain errors.
-
UI was enabled
in
dwUIChoice
and
the user clicked
"Yes"
when asked to install
and
run the signed
subject.
*
/
/
/
只是验证了签名有效,但是到底是不是预期的签名者进行的签名还不确定, 可以进一步验证
wprintf_s(L
"The file \"%s\" is signed and the signature "
L
"was verified.\n"
,
pwszSourceFile);
return
1
;
break
;
case TRUST_E_NOSIGNATURE:
/
/
The
file
was
not
signed
or
had a signature
/
/
that was
not
valid.
/
/
Get the reason
for
no signature.
dwLastError
=
GetLastError();
if
(TRUST_E_NOSIGNATURE
=
=
dwLastError ||
TRUST_E_SUBJECT_FORM_UNKNOWN
=
=
dwLastError ||
TRUST_E_PROVIDER_UNKNOWN
=
=
dwLastError)
{
/
/
The
file
was
not
signed.
wprintf_s(L
"The file \"%s\" is not signed.\n"
,
pwszSourceFile);
return
0
;
}
else
{
/
/
The signature was
not
valid
or
there was an error
/
/
opening the
file
.
wprintf_s(L
"An unknown error occurred trying to "
L
"verify the signature of the \"%s\" file.\n"
,
pwszSourceFile);
return
0
;
/
/
无签名
}
break
;
case TRUST_E_EXPLICIT_DISTRUST:
/
/
The
hash
that represents the subject
or
the publisher
/
/
is
not
allowed by the admin
or
user.
wprintf_s(L
"The signature is present, but specifically "
L
"disallowed.\n"
);
return
0
;
/
/
无效签名
break
;
case TRUST_E_SUBJECT_NOT_TRUSTED:
/
/
The user clicked
"No"
when asked to install
and
run.
wprintf_s(L
"The signature is present, but not "
L
"trusted.\n"
);
return
-
1
;
break
;
case CRYPT_E_SECURITY_SETTINGS:
/
*
The
hash
that represents the subject
or
the publisher
was
not
explicitly trusted by the admin
and
the
admin policy has disabled user trust. No signature,
publisher
or
time stamp errors.
*
/
wprintf_s(L
"CRYPT_E_SECURITY_SETTINGS - The hash "
L
"representing the subject or the publisher wasn't "
L
"explicitly trusted by the admin and admin policy "
L
"has disabled user trust. No signature, publisher "
L
"or timestamp errors.\n"
);
return
-
1
;
break
;
default:
/
/
The UI was disabled
in
dwUIChoice
or
the admin policy
/
/
has disabled user trust. lStatus contains the
/
/
publisher
or
time stamp chain error.
wprintf_s(L
"Error is: 0x%x.\n"
,
lStatus);
return
-
1
;
break
;
}
/
/
设置flag为CLOSE, 然后释放掉上面申请出来的内存。。
/
/
Any
hWVTStateData must be released by a call with close.
WinTrustData.dwStateAction
=
WTD_STATEACTION_CLOSE;
lStatus
=
WinVerifyTrust(
NULL,
&WVTPolicyGUID,
&WinTrustData);
/
/
return
true;
}
|
VerifyEmbeddedSignature(文件路径) 如果返回1 则合法 如果其他 则不合法
3.是否联网
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
bool
IsProcessCommunicating(DWORD processId) {
MIB_TCPTABLE_OWNER_PID
*
pTcpTable;
DWORD dwSize
=
0
;
DWORD dwRetVal
=
0
;
pTcpTable
=
(MIB_TCPTABLE_OWNER_PID
*
)malloc(sizeof(MIB_TCPTABLE_OWNER_PID));
if
(pTcpTable
=
=
NULL) {
std::cout <<
"Error allocating memory."
<< std::endl;
return
false;
}
dwRetVal
=
GetExtendedTcpTable(pTcpTable, &dwSize, TRUE, AF_INET, TCP_TABLE_OWNER_PID_ALL,
0
);
if
(dwRetVal !
=
ERROR_INSUFFICIENT_BUFFER) {
free(pTcpTable);
std::cout <<
"Error getting extended TCP table."
<< std::endl;
return
false;
}
pTcpTable
=
(MIB_TCPTABLE_OWNER_PID
*
)malloc(dwSize);
if
(pTcpTable
=
=
NULL) {
std::cout <<
"Error allocating memory."
<< std::endl;
return
false;
}
dwRetVal
=
GetExtendedTcpTable(pTcpTable, &dwSize, TRUE, AF_INET, TCP_TABLE_OWNER_PID_ALL,
0
);
if
(dwRetVal
=
=
NO_ERROR) {
for
(DWORD i
=
0
; i < pTcpTable
-
>dwNumEntries; i
+
+
) {
if
(pTcpTable
-
>table[i].dwOwningPid
=
=
processId) {
free(pTcpTable);
return
true;
}
}
}
else
{
std::cout <<
"Error getting extended TCP table."
<< std::endl;
}
free(pTcpTable);
return
false;
}
|
IsProcessCommunicating(进程PID)
如果返回True 则联网
如果为False 则没联网
仅仅是判断了TCP(如果是纯UDP或者纯HTTP可能检测不到)
接下来是一个简单的Method:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
LPCWSTR GetProcessPath(DWORD processId) {
HANDLE hProcess
=
OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processId);
static wchar_t szProcessPath[MAX_PATH];
if
(hProcess !
=
nullptr) {
DWORD size
=
sizeof(szProcessPath)
/
sizeof(szProcessPath[
0
]);
if
(GetModuleFileNameEx(hProcess, nullptr, szProcessPath, size) !
=
0
) {
CloseHandle(hProcess);
return
szProcessPath;
}
else
{
std::wcerr << L
"无法获取进程路径。错误码: "
<< GetLastError() << std::endl;
}
CloseHandle(hProcess);
}
else
{
std::wcerr << L
"无法打开指定进程。错误码: "
<< GetLastError() << std::endl;
}
return
nullptr;
}
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
void test(DWORD PID, std::vector<DWORD>& abnormalProcesses) {
bool
a
=
false;
bool
b
=
false;
bool
c
=
false;
if
(Is_Has_Window(PID)
=
=
1
) {
/
/
窗口
b
=
true;
a
=
true;
c
=
true;
}
if
(VerifyEmbeddedSignature(GetProcessPath(PID)) !
=
0
) {
/
/
签名
b
=
true;
a
=
true;
c
=
true;
}
if
(IsProcessCommunicating(PID)
=
=
0
) {
/
/
联网
c
=
true;
}
cout << a << b << c << endl;
if
(!(a && b && c)) {
abnormalProcesses.push_back(PID);
}
}
int
main() {
DWORD processes[
1024
], cbNeeded, cProcesses;
std::vector<DWORD> abnormalProcesses;
if
(EnumProcesses(processes, sizeof(processes), &cbNeeded)) {
cProcesses
=
cbNeeded
/
sizeof(DWORD);
for
(DWORD i
=
0
; i < cProcesses; i
+
+
) {
test(processes[i], abnormalProcesses);
}
system(
"cls"
);
std::cout <<
"不正常的进程:"
<< std::endl;
for
(DWORD PID : abnormalProcesses) {
std::cout << PID;
std::wcout <<
" "
<< GetProcessPath(PID) << endl;
}
}
else
{
std::cout <<
"无法枚举进程。错误码: "
<< GetLastError() << std::endl;
}
system(
"pause"
);
return
0
;
}
|
这个方法误报是有点高的
但是确实有效
可以接入ViursTotal来判断是否为白文件
或者直接过滤System目录
要Anti这个技术也很简单
任意断一项(签名 窗口 联网)
更多【编程技术-新人第一篇 (一个通用的简单反远控技术)】相关视频教程:www.yxfzedu.com
相关文章推荐
- 常见问题解答 - 游戏逆向游戏开发编程技术加壳脱壳
- 常见问题解答 - 游戏逆向游戏开发编程技术加壳脱壳
- 课程VIP说明 - 游戏逆向游戏开发编程技术加壳脱壳
- 免责声明 - 游戏逆向游戏开发编程技术加壳脱壳
- 逆向工具下载 - 游戏逆向游戏开发编程技术加壳脱壳
- 提问技巧 - 游戏逆向游戏开发编程技术加壳脱壳
- 学习路线 - 游戏逆向游戏开发编程技术加壳脱壳
- Pwn-DamCTF and Midnight Sun CTF Qualifiers pwn部分wp - 游戏逆向游戏开发编程技术加壳脱壳
- 软件逆向-OLLVM-deflat 脚本学习 - 游戏逆向游戏开发编程技术加壳脱壳
- 软件逆向-3CX供应链攻击样本分析 - 游戏逆向游戏开发编程技术加壳脱壳
- Android安全-某艺TV版 apk 破解去广告及源码分析 - 游戏逆向游戏开发编程技术加壳脱壳
- Pwn-Hack-A-Sat 4 Qualifiers pwn部分wp - 游戏逆向游戏开发编程技术加壳脱壳
- 二进制漏洞- AFL 源代码速通笔记 - 游戏逆向游戏开发编程技术加壳脱壳
- 二进制漏洞-Netatalk CVE-2018-1160 复现及漏洞利用思路 - 游戏逆向游戏开发编程技术加壳脱壳
- 外文翻译-2022年,工业级EDR绕过蓝图 - 游戏逆向游戏开发编程技术加壳脱壳
- Android安全-关于某ios版本分析 - 游戏逆向游戏开发编程技术加壳脱壳
- Pwn-祥云杯2022-leak Writeup - 游戏逆向游戏开发编程技术加壳脱壳
- 编程技术-加载了对应的调试符号文件也看不了函数名?也许是 fastlink 搞的鬼 - 游戏逆向游戏开发编程技术加壳脱壳
- 编程技术-跨平台重构Cobaltstrike Beacon,行为对国内主流杀软免杀 - 游戏逆向游戏开发编程技术加壳脱壳
- 智能设备-关于thumb2指令下函数运行地址对齐问题及验证固件分析 - 游戏逆向游戏开发编程技术加壳脱壳
记录自己的技术轨迹
文章规则:
1):文章标题请尽量与文章内容相符
2):严禁色情、血腥、暴力
3):严禁发布任何形式的广告贴
4):严禁发表关于中国的政治类话题
5):严格遵守中国互联网法律法规
6):有侵权,疑问可发邮件至service@yxfzedu.com
近期原创 更多