代码积累
2020-10-26 14:39:31
snowming

Rot13:

https://0xpat.github.io/Malware_development_part_1/

 

--------------------

 

 

In-Memory shellcode decoding to evade AVs/EDRs   shellcode 异或代码

 

---------------------------

WoW64 - aka Windows (32-bit) on Windows (64-bit) - is a subsystem that enables 32-bit Windows applications to run on 64-bit Windows

(关于昨天那个绕过ring3下的hook 这篇文章也很有帮助。)


 

https://wbenny.github.io/2018/11/04/wow64-internals.html

 

----------------------------------------

 

#推荐 #RedTips 对抗EDR已然趋势化

不知道大家有没有注意到,国外好多知名红队已经将ABU矛头指向了EDR,而且接连放出相关文章和开源项目。今天我就推荐一篇文章:

https://www.mdsec.co.uk/2020/08/firewalker-a-new-approach-to-generically-bypass-user-space-edr-hooking/

一个对抗R3下EDR Hooking的新方法,相关项目地址:https://github.com/mdsecactivebreach/firewalker

 

PS:对付国内某些粗制滥造的EDR都不用这么费劲

-----------------------------------------

#推荐

 推荐看下 ABU第二节最后的syscall 了解下SSDT api函数稍微能好理解本文。

Kernel Mode TCP Sockets + LSASS Dump

https://zerosum0x0.blogspot.com/2020/08/sassykitdi-kernel-mode-tcp-sockets.html?m=1

 

关于syscall相关参考我总结了下师傅的ABU系列(看了很久,同时也期待定向ABU视频讲解。)

 

---------------------------------------------

 

红队软件开发系列文章,主要讲的是在开发中绕过防御使用到的一些技术,目前更新了四篇。

 

https://0xpat.github.io/Malware_development_part_1/

 

----------------------------------------------

 

#推荐 windows数据结构与回调 ——— Part I

windows的很多数据结构和回调都非常重要。在C2的Beacon端(C端)中也会大量使用,比如模块与核心之间的通讯等。这篇文章很详细地阐述了这些结构和回调,是C2研发需要掌握的硬性知识。

文章地址:

 

https://modexp.wordpress.com/2020/08/06/windows-data-structures-and-callbacks-part-1/


------------------------------------------

 

checkpoint整理的反调试技巧,很多技巧都很不错,反调试的意义在于躲避检测和躲避沙盒,最后是给分析人员增加工时 ,样本到了人的手里,本分析出来是迟早的事,要做的就是躲避检测软件的”可疑”,防止被样本上传


 

https://anti-debug.checkpoint.com

---------------------------------------------

前几天出的BOF 刚好最近也在看dll注入。 APC注入也是非常经典的一种方式,推荐大家研究研究。(之前要分享的Cobalt Strike dll注入原理翻译文章马上就好了,期待与大家一起分享。)


 

https://github.com/m57/cobaltstrike_bof

 

---------------------------------------------

 

https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/

 

关于免杀的文章,讲的非常详细,可以参考一下。

 

 ---------------------------------------------

https://blog.sevagas.com/IMG/pdf/code_injection_series_part1.pdf
https://blog.sevagas.com/#pagination_articles_recents
https://blog.sevagas.com/?PE-injection-explained
https://blog.sevagas.com/?Bypass-Antivirus-Dynamic-Analysis
https://blog.sevagas.com/?String-encryption-using-macro-and

https://www.vergiliusproject.com/kernels/x64/Windows%20Vista%20%7C%202008/RTM/_RTL_USER_PROCESS_PARAMETERS

https://github.com/Cc28256/CcRemote

https://modexp.wordpress.com/2017/01/15/shellcode-resolving-api-addresses/

https://modexp.wordpress.com/2018/07/12/process-injection-writing-payload/

 https://blog.csdn.net/u010920300/article/details/12777129

 

https://idiotc4t.com/code-and-dll-process-injection/dll-hollowing

 

https://kiwings.github.io/2019/04/04/th-DLL%E5%8A%AB%E6%8C%81/

https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms686736(v=vs.85)
https://www.write-bug.com/article/2235.html
https://www.cnblogs.com/iBinary/p/12095895.html
https://blog.csdn.net/change518/article/details/7496912



高级代码注入的状态

https://adalogics.com/blog/the-state-of-advanced-code-injections

文档导航