freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

探索阻止EDR的dll注入
2024-04-04 00:18:30

前记

许多EDR产品常见的操作是将他们的DLL注入到其想监测的进程中,寻找前辈们的防注入思路发现大概有以下两种,分别是:

1、PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON会阻止不带微软签名的DLL加载

2、ProcessDynamicCodePolicy禁用了VirtualProtect和分配RWX内存可能会强制阻止一个带微软签名的DLL加载

于是分别测试实战效果(这里仅以普通dll注入,即远程LoadLibrary加载而非创建远程线程)

blockdlls

#include <Windows.h>

int main()
{
	STARTUPINFOEXA si = {0};
	PROCESS_INFORMATION pi = { 0 };
	SIZE_T size = 0;
	BOOL ret;

	// Required for a STARTUPINFOEXA
	si.StartupInfo.cb = sizeof(STARTUPINFOEXA);

	// Get the size of our PROC_THREAD_ATTRIBUTE_LIST to be allocated
	InitializeProcThreadAttributeList(NULL, 1, 0, &size);

	// Allocate memory for PROC_THREAD_ATTRIBUTE_LIST
	si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(
		GetProcessHeap(),
		HEAP_ZERO_MEMORY,
		size
	);

	// Initialise our list 
	InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size);

	// Enable blocking of non-Microsoft signed DLLs
	DWORD64 policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;

	// Assign our attribute
	UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &policy, sizeof(policy), NULL, NULL);

	// Finally, create the process
	ret = CreateProcessA(
		NULL,
		(LPSTR)"C:\\Windows\\System32\\notepad.exe",
		NULL,
		NULL,
		true,
		EXTENDED_STARTUPINFO_PRESENT,
		NULL,
		NULL,
		reinterpret_cast<LPSTARTUPINFOA>(&si),
		&pi
	);
}

这里通过UpdateProcThreadAttribute 添加lpAttributeList中PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY属性为PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON,然后创建的进程如图:Only Microsoft signatures are allowed.

有用但是用处不大,因为发现大多数EDR使用有效的Microsoft签名来对抗该策略!
image-20240326201257200.png

ACG

ProcessDynamicCodePolicyis also sometimes called Arbitrary Code Guard (ACG)

ACG是Windows系统的另一个安全策略,具体如下

1、现有代码被修改(代码页不能变为可写);
2、在数据段上写入代码并执行(数据不能变为代码)。
即不能申请和修改同时具有写入(W)和执行(X)的权限

#include <iostream>
#include <Windows.h>
#include <processthreadsapi.h>

int main()
{
	STARTUPINFOEX si;
	DWORD oldProtection;

	PROCESS_MITIGATION_DYNAMIC_CODE_POLICY policy;
	ZeroMemory(&policy, sizeof(policy));
	policy.ProhibitDynamicCode = 1;

	void* mem = VirtualAlloc(0, 1024, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (mem == NULL) {
		printf("[!] Error allocating RWX memory\n");
	}
	else {
		printf("[*] RWX memory allocated: %p\n", mem);
	}

	printf("[*] Now running SetProcessMitigationPolicy to apply PROCESS_MITIGATION_DYNAMIC_CODE_POLICY\n");

	// Set our mitigation policy
	if (SetProcessMitigationPolicy(ProcessDynamicCodePolicy, &policy, sizeof(policy)) == false) {
		printf("[!] SetProcessMitigationPolicy failed\n");
		return 0;
	}

	// Attempt to allocate RWX protected memory (this will fail)
	mem = VirtualAlloc(0, 1024, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (mem == NULL) {
		printf("[!] Error allocating RWX memory\n");
	}
	else {
		printf("[*] RWX memory allocated: %p\n", mem);
	}

	void* ntAllocateVirtualMemory = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtAllocateVirtualMemory");

	// Let's also try a VirtualProtect to see if we can update an existing page to RWX
	if (!VirtualProtect(ntAllocateVirtualMemory, 4096, PAGE_EXECUTE_READWRITE, &oldProtection)) {
		printf("[!] Error updating NtAllocateVirtualMemory [%p] memory to RWX\n", ntAllocateVirtualMemory);
	}
	else {
		printf("[*] NtAllocateVirtualMemory [%p] memory updated to RWX\n", ntAllocateVirtualMemory);
	}
    system("pause");
}
[*] RWX memory allocated: 0000018B24D70000
[*] Now running SetProcessMitigationPolicy to apply PROCESS_MITIGATION_DYNAMIC_CODE_POLICY
[!] Error allocating RWX memory
[!] Error updating NtAllocateVirtualMemory [00007FFA9248F660] memory to RWX

尝试本地注入失败,但是远程dll注入和远程创建新线程均可以成功,正如下面所言

But actually, ACG doesn’t block a remote processes ability to call a function such as VirtualAllocEx.Unfortunately there doesn’t appear to be a way to set the Process Mitigation policy when calling CreateProcess either

看到有研究者写到:

许多EDR产品常见的操作是将他们的DLL注入到其想监测的进程中,围绕特定的API函数实现用户态hook技术(参考文章)。由于hook技术通常需要修改现有的可执行内存页以添加hook,因此EDR通常需要调用VirtualProtect来更新内存保护。如果我们在恶意软件设计上启用ProcessDynamicCodePolicy可能有助于保护其免受EDR hook监测的影响

然而并不现实,EDR通常在我们的进程刚启动的时候就已经完成注入和内存修改并进行hook,而我们后续的属性设定操作是在edr的dll注入之后才完成的,并且我们没法在创建之前就设定该属性

结论

签名策略和ACG不太可能帮助防止反病毒供应商的DLL注入,而考虑采取以下措施:

  • Reload the hooked DLL’s from disk

  • Modify the injected DLL’s to make sure they don’t take action

  • Attempt direct system calls to bypass the hooks

测试代码

a.dll

#include<windows.h>
#include "pch.h"
int a=10;
BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
    )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

inject.exe

#include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>
typedef FARPROC
(WINAPI
	* pGetProcAddress)(
		_In_ HMODULE hModule,
		_In_ LPCSTR lpProcName
		);
typedef HMODULE
(WINAPI
	* pLoadLibraryA)(
		_In_ LPCSTR lpLibFileName
		);

BOOL mydllinject(DWORD pid, LPCTSTR szDllPath);
int main(int argc, char* argv[])
{
	DWORD pid = (DWORD)atoi(argv[1]);
	printf("%d", pid);
	mydllinject(pid, L"a.dll");
	system("pause");
	return 0;
}

BOOL mydllinject(DWORD pid, LPCTSTR szDllPath)
{
	HMODULE hMod = GetModuleHandle(L"kernel32.dll");
	pGetProcAddress pThreadProc = (pGetProcAddress)GetProcAddress(hMod, "LoadLibraryW");
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	if (hProcess == NULL)
	{
		return FALSE;
	}
	DWORD size = (DWORD)(wcslen(szDllPath) + 1) * sizeof(TCHAR);
	LPVOID conAddr = VirtualAllocEx(hProcess, NULL, size, MEM_COMMIT, PAGE_READWRITE);
	if (conAddr == NULL)
	{
		return FALSE;
	}
	printf("add:%x", conAddr);
	int writecon = WriteProcessMemory(hProcess, conAddr, (LPCVOID)szDllPath, size, NULL);
	if (writecon == 0)
	{
		printf("WriteProcessMemory:%d\n", GetLastError());
	}

	HANDLE thred = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pThreadProc, conAddr, 0, NULL);
	if (thred == NULL)
	{
		printf("CreateRemoteThread:%d\n", GetLastError());
	}
	WaitForSingleObject(thred, INFINITE);
}

reference

https://www.cnblogs.com/zha0gongz1/p/15391205.html
https://blog.xpnsec.com/protecting-your-malware/
# 系统安全 # 免杀 # EDR绕过
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
  • 0 文章数
  • 0 关注者
文章目录