大家一起看 Anti VirusJohnThunder

自我介紹• 姜尚德 aka John Thunder

• UCCU 戰隊

• 聯絡資訊：John@johnthunder.one

一場戰爭病毒與反病毒

防守策略• Signature Based Detection• Static Program Analyze

• Dynamic Program Analyze• Sandbox• Heuristic Analysis• Entropy

攻守一體• Obfuscation

• Packers

• Crypters

Windows Load PE File Address Space Layout Randomization Crypters With PE Injection

“NtUnmapViewOfSection” and “ZwUnmapViewOfSection”

PE Injection

見招拆招

meterpreter reverse tcp shellcode(Before)

meterpreter reverse tcp shellcode(After)

– Decryption loop detected – Reads active computer name – Reads the cryptographic machine GUID – Contacts random domain names – Reads the windows installation date – Drops executable files – Found potential IP address in binary memory – Modifies proxy settings

Heuristic Engines – Installs hooks/patches the running process – Injects into explorer – Injects into remote process – Queries process information – Sets the process error mode to suppress error box – Unusual entrophy – Possibly checks for the presence of antivirus engine – Monitors specific registry key for changes – Contains ability to elevate privileges – Modifies software policy settings

解密過程 Avoid Decryption loop

detected

Decrypt Shellcode

Is Debugger ? Load Fake Library Get Tick Count Number Of Cores Huge Memory Allocations Trap Flag Manipulation Mutex Triggered WinExec

Dynamic Analysis Detection/Anti Detection

Is Debugger ?

Is Debugger ?

Load Fake Library/Get Tick Count

Trap Flag

Mutex Triggered WinExec

DEP機制 使用Windows API 讓 shellcode 包含讀、寫、執行的

address memeory

正確的執行 shellcodes

結論 許多保護機制同時也是可以拿來利用的 (visual studio) Trick 要結合成 Combo 技才能發揮作用