Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Published on
就這麼不小心閱讀了相關shellcode知識。
會後討論與補充:
補充1. hash API 另一個目的是shellcode被static analysis會看不出這些hash value用來做什麼。
補充2.
p.35 p.36 pypassing Up-to-Standards Secure Corporate Environment
1. 文中採用Web Gateway(proxy AV): ProxySG : 設計概念 real-time protection for web content ,要做到豐富dynamic analysis不太可能。參考: https://www.symantec.com/products/secure-web-gateway-proxy-sg-and-asg
2. 以下參考https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell/ 的內容擷取
`````````````````````````````````
define condition Meterpreter_ReflectiveDLL
; x86 payload
http.response.data.11.regex="^\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55"
end
``````````````````````````````````
可以推斷ProxySG 是signature-based AV 。不知道有沒有heuristic analysis就是了。
在64KB+meterpreter stage DLL的 http request封包,假設成功bypass,也就是說 proxy-AV 只檢查64KB,他可能相信大的封包是檔案,就給local AV檢查,於是就到target memory,殊不知在 in-memory 中做DLL injection至stager中,local AV也沒辦法檢查到了。
Login to see the comments