来自 防护 2021-06-09 13:06 的文章

ddos防御攻击_服务器防火墙开放端口_零误杀

ddos防御攻击_服务器防火墙开放端口_零误杀

In 2015,Microsoft introduced the Antimalware Scan Interface)(AMSI)as a generic application programming interface)(API)for software applications to integrate with any installed antivirus(AMSI allows developers of scripting engines such as Python,Ruby,or even Microsoft's very own Powershell to request the system's AV to scan the script contents to determine if the script is malicious or benign prior to executing it.Malicious actors and red teamers have increasingly turned to scripts,like VBScript or Powershell,as not only an infection vector but also for post-exploitation activity such as dumping credenials or ransoming files in these"file-less malware"attacks.A number of prooffs of concept have been released in the past,such as PSAmsi and amsiscanner,that demonstrate how to write an AMSI client.However,very little has been written on actually implementing an AMSI provider.The documentation is severely lacking,so we're going to change that.Powering the COMponentsSince PowerShell is open-source,we can examine how a script gets scanned via AMSI prior to execution.The script is ultimately compiled prior to execution by the ReallyCompile function inSystem.Management.Automation♪♪Prior to compilation,a call to PerformSecuritychecks is executed which callsAmsiutils.ScantContent和subsequently calls WinscanContent。WinscanContent sets up the AMSI session and context and calls amsi!AmsiSccanString。which calls the IAntimalwareProvider:(Scan)method for each registered AMSI provider in order which returns an AMSIöu RESULT enumeration.If a provider returns a result other than AMSIöu RESULTöu NOTöu DETECTED,the scanning stops and returns the results without calling the remaining providers.Registering a ProviderAMSI provider is a COM object that implements the IAntimaleware Provider COM interface.AMSI providers must register themselves by creating a CLSID entry in HKLM卧底当AMSI是在主机过程中启动)powershell.exe,winword.exe,mshta.exe,etc.,(it will enumerate each CLSID listed in the Providers key and initialize the COM object).(见AMSI registration is provided below in the DllRegisterserver)method.DLL can be registered by calling regsvr32.exewith Administrator privileges:DEFINE DE GUUID)CLSID D D U MyAMAMMSIProvider,0x2facaae,0x5213,0x5213,0x42c7,0x9b,0x65,0x12,0x3a,0xe7,0x10,0x10,0x13,0xa8;static const TCHAR gc Gc 0x13,0x13,0x2mszclassdesdesscription,0x2facaae,0x2facaae,0x222222x52x52x52x522222222x2222222x22222x22222x222222222222xx22222x222H.E.Both.;static const TCHAR gc u szThreatingModel]=TEXT)"static const TCHAR gcöu szInProcServer[]=TEXT];static HMODULE göu hmodule=NULL;BOL APIENTRY DllMain):《HMODULE hmodule》,DWORD dwreason,LPVOID lpreserved.){switch(dwreason){DLLöu PROCESSöu ATTACH:(+g u hmodule=hmodule;;break;DLL.u THREAD.u ATTACH::DLL.U THREAD.U下述案件:DLL.u PROCESSS名称DETACH案:break;}return TRUE;STDAPI DLRegisteserver.)){HRESULTI DllRegistrserver){HRESULT hr=S强强强行;LONG LRet=ERROR \ U SUCCESS;HKEY HClClclosidKey=NULL;HKEY hl吉尔吉斯斯坦DLLLLRRRSRSRSRSRSRSRSRSRSRSRSRSRSRSDAPI({);;;;;{{{};{S HRSULTULTG;LLLLLLLLLLLLLLLLLLLLLLLNUL;TCHAR ssssszRegRegRegRRRRRRRRRRRRRRRZRRRRRRRRRRR=0};TCHAR szFile[MAX.u path]=0};CoInitialize NULL)l Ret=Getmodulefile)【g.u hmodule,szFile,sizeof)【szFile】hr=stringfromCLSID)&CLSID:/u MyAMSIPOVIder,&lpszguid;if):(AILED)goto done;hr=stringcbprintf)【szRegKey,sizeof)【szRegKey,TEXT】"hr=StringcbPrintf)(szAMSIProvider,TEXT):《Microsoft数据库名称???l Ret=RegCreateKeyEx)(HKEYÖu CLASESòROT,szRegKey,0,NULL,REGÖu OPTIONÄu NONÖu VOLATILE,KEYÖu SETÖu VALUE)(=ERROR.u SUCCESS{hr=HRESULT u FROMöu WIN32){lret;goto done;}l Ret=RegSetValueEx)(hlsidKey,免费ddos防御系统,NULL,0,REGÖu SZ,))=ERROR.u SUCCESS{hr=HRESULT u FROMöu WIN32){lret;goto done;}l Ret=RegCreateKeyEx)(hlsidKey,gc?u szInserver,0,NULL,REG?u OPTION?u NON?u VOLATILE,KEY?u SET?u VALUE,NULL,&hInProcKey,NULL-;if lret!=ERROR.u SUCCESS{hr=HRESULT u FROMöu WIN32){lret;goto done;}LRet=regsetvalueEx)【hInProcKey,NULL,0,REG Göu SZ,))=ERROR.u SUCCESS{hr=HRESULT u FROMöu WIN32){lret;goto done;}l Ret=RegSetValueEx)【hInProcKey,gc?u szThreatingModel,0,REG?u SZ,))=ERROR.u SUCCESS{hr=HRESULT u FROMöu WIN32){lret;goto done;}l Ret=RegCreateKeyEx)(HKEYÖu LOCALÖMACHINE,sZAMSIProvider,0,NULL,REGöu OPTIONÖu NONÉu VOLATILE,KEYÖu SETÖu VALUE)(KEY u CREATEÖu KEY,NULL,&hsikey,NULL=ERROR.u SUCCESS{hr=HRESULT u FROMöu WIN32){lret;goto done;}done:if)【hInProcKey!】==null)regcloseKey)hInProcKey;if)(=NULL)regcloseKey)如果lpszguid)(=NULL)CoTaskMemfree)(return hr;现在,我们可以接受AMSI呼叫backs,我们需要执行IAntimalware Provider::)The method below enumerates the various attributes of the Iamsistream:AMSI O ATTRIBUTE DE APP U NAME–application name such as OFFICEöu VBAAMSI U ATTRIBUTE名称AMSI U ATTRIBUTE \u CONTENT \u SIZE-script buffer sizeAMSI U ATTRIBUTE \u CONTENT \u ADDRESS-pointer to script bufferHRESULTSTDMETHOODCALTLTYPE MyAMISISIProvder远程Scan)IAntimawareProvider*This,多少cc的防御,IAmsiStream*stream*stream,AMSI。*STDDDMETHOODCALTLTYPE MyAMAMISISISISISISISISSULTLT**result{HRESULT HARSUULT***HRDDDDDDDDDDDDDDDMODDDDDDDDDDDDDDDDDDDDLDLLPSTR MUCLLLLLLLLLLLLLLLLLLLLLLLLLLLLLPPWWWszzzzSTR WszFIZZZZFIULONG ulretData=0;DWORD dwret=0;CHAR lppath[MAX.u path+1]={0};CHAR lpFile[MAX.u path]=0};HANDLE hFile=NULL;BOL bSuccess=FALSE;stream->lpvtbl->(addRef)stream(//get the program executing the script.hr=stream->lpvtbl---->Gettatribute)stream,AMSI:/u ATRIBUTE \APP.u NAME,0.,PUHAR wszApp,ddos防御云防火墙,&ulretData;if hr.)*E O O O O O O O O O O O O O U SUFFFICIENTU BUFFER)goto get名称;wsz苹果=VirtualAlloc)NULL,UlretData,UlrretData,MEM M M′E O O O O O O O O O O O O O O O O O O O,UUUFUFFFFFFFFFFFFFBEBEBEBEBEBEBEBEBEBE(U U U U U;wszzzZZZZZZZZZZZZZZZZZULL)要获得一个名名名;hr=stream,ULLVVLTLTLTLTLTLTLTLTLTLTETETETETETETETETETETETETETETETETETETETETETETETET(m),AMSI \ U ATTRIBUTE \ U APP \ U NAME,ulretData,(&ulretData(如果)(get u name://get the file name of the script.hr=stream>lpvtbl->Gettatribute)stream,AMSI:/u ATRIBUTE DE CONTENT DU NAME,0,cc防御方法,),PUHAR wszFile,&ulretData,;if)(*E O O O O O O O O O O O U SUFFFICIENTU BUUFFER)goto get the U size;wszFile=VirtualAlloc)NULL,ULL,ulretData,MEM \ COMMIT*U SUUFUFFICIENET(U UFUFFFER)gozzZZZZZZZZZZZZFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF(e)stream,AMSIöATTRIBUTEöu CONTENTöu NAME,UlretData,wszFile;,cc防御关闭,&ulretData;)如果(FAILED):(hr)goto get eu size;get u size://get the size of the script data.hr=stream>lpvtbl--getAttribute)stream,AMSIÖu ATRIBUTEÖu CONTENTÖu SIZE,sizeof)(ulsize meter,&ullsize,&ullsize,&ulletData,;if)(//get a pointer to the script data.hr=stream--lpvtbl--Gettatribute)stream,AMSI、AMSI、U ATRIBUTE、U CONTENT、u ADDRESS、sizeof)pBuf编辑,)、PUHAR和pBuf、UlretData(如果)(dwret=Gettempatha)sizeof)lppath,lppath作为一个对象;如果(dwret=GetTempfilenamea),"lppath,","0,lpfile;如果(/Perform script analysis herehfile=createfile)(b Success=writeFile)(hFile),pBuf,))done:*result=AMSI?U RESULT?U?NOT?U DETECTED;//Do nothing//*result=AMSI?u RESULT?u DETECTED;//Block all the things?if)((如果)wszApp)if)(wszFile)Virtualfree)(wszFile),0,MEMöu REEASE;stream->lpvtbl->Release)";return hr;