6
Blockdlls 防止EDR的DLL注入我的恶意进程
source link: https://y4er.com/post/blockdlls/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Blockdlls 防止EDR的DLL注入我的恶意进程
2021-01-14
免杀
Share on:
cobaltstrike有一个blockdlls,该命令可以使产生的进程禁止加载非微软签名的dll,用来绕过一些注入DLL的edr有显著效果。
UpdateProcThreadAttribute
cs的实现方式是修改UpdateProcThreadAttribute属性
image.png
图来自@xpn大佬修改该属性会使子线程拒绝非微软签名的dll注入。
开了blockdlls以后任务子线程会加上Signatures restricted (Microsoft only)标志
image.png
使用process hacker注入dll注入不进去。
image.png
自己代码实现
// blockdlls.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <iostream>
#include <Windows.h>
int main()
{
PROCESS_INFORMATION pi = {};
STARTUPINFOEXA si = {};
SIZE_T attributeSize = 0;
InitializeProcThreadAttributeList(NULL, 1, 0, &attributeSize);
PPROC_THREAD_ATTRIBUTE_LIST attributes = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, attributeSize);
InitializeProcThreadAttributeList(attributes, 1, 0, &attributeSize);
DWORD64 policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;
UpdateProcThreadAttribute(attributes, 0, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &policy, sizeof(DWORD64), NULL, NULL);
si.lpAttributeList = attributes;
CreateProcessA(NULL, (LPSTR)"notepad", NULL, NULL, TRUE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);
HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, attributes);
return 0;
}
CreateProcessA的记事本注入不了第三方dll
image.png
SetProcessMitigationPolicy
这个api可以给当前线程添加 Signatures restricted (Microsoft only) 标识。
// blockdlls.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <iostream>
#include <Windows.h>
int main()
{
PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY sp = {};
sp.MicrosoftSignedOnly = 1;
SetProcessMitigationPolicy(ProcessSignaturePolicy, &sp, sizeof(sp));
system("PAUSE");
return 0;
}
image.png
注入非微软签名的dll报错
image.png
注入微软的user32.dll
image.png
可以成功注入。
image.png
使用powershell可以看到当前MicrosoftSignedOnly标志的进程。
get-process | select -exp processname -Unique | % { Get-ProcessMitigation -ErrorAction SilentlyContinue -RunningProcesses $_ | select processname, Id, @{l="Block non-MS Binaries"; e={$_.BinarySignature|select -exp MicrosoftSignedOnly} } }
powershell
image.png
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK