序言:首先,我不能保证全部拦住,只能保证拦住简单的那种,没经过特殊处理的
我们都知道,远程控制木马病毒,一直是杀毒软件困扰的
但是我们通过观察他们的表面特征,都能发现几个共同点
1.没有窗口
2.一般来说没有签名
3.Mutex互斥体(防止重复上线)
4.联网
特征显而易见
但是有些远控不加Mutex 所以我们不判断这个
那么剩下的就是 没有窗口 没有签名 和联网了
有些木马是有签名的,我们暂时不提
我们要用到的头文件和namespace这些
好,我们可以开始编写主体部分了
1.判断是否有窗口,代码如下
Is_Has_Window(进程PID) 如果返回1 就有窗口 如果返回0 就没窗口
2.判断签名是否合法
VerifyEmbeddedSignature(文件路径) 如果返回1 则合法 如果其他 则不合法
3.是否联网
IsProcessCommunicating(进程PID)
如果返回True 则联网
如果为False 则没联网
仅仅是判断了TCP(如果是纯UDP或者纯HTTP可能检测不到)
接下来是一个简单的Method:
接下来的工作就很简单了
遍历进程然后判断就好
也可以用Event Trace For Windows(ProcessMon判断新进程是否为远控木马)
这个方法误报是有点高的
但是确实有效
可以接入ViursTotal来判断是否为白文件
或者直接过滤System目录
要Anti这个技术也很简单
任意断一项(签名 窗口 联网)
using namespace std;
bool
DoesProcessHaveWindow(DWORD processId) {
HWND hwnd
=
FindWindow(nullptr, nullptr);
while
(hwnd) {
DWORD windowProcessId;
GetWindowThreadProcessId(hwnd, &windowProcessId);
if
(windowProcessId
=
=
processId) {
return
true;
}
hwnd
=
GetWindow(hwnd, GW_HWNDNEXT);
}
return
false;
}
int
Is_Has_Window(DWORD targetProcessId) {
if
(DoesProcessHaveWindow(targetProcessId)) {
std::cout <<
"The specified process has a window."
<< std::endl;
return
1
;
}
else
{
std::cout <<
"The specified process does not have a window."
<< std::endl;
return
0
;
}
}
bool
DoesProcessHaveWindow(DWORD processId) {
HWND hwnd
=
FindWindow(nullptr, nullptr);
while
(hwnd) {
DWORD windowProcessId;
GetWindowThreadProcessId(hwnd, &windowProcessId);
if
(windowProcessId
=
=
processId) {
return
true;
}
hwnd
=
GetWindow(hwnd, GW_HWNDNEXT);
}
return
false;
}
int
Is_Has_Window(DWORD targetProcessId) {
if
(DoesProcessHaveWindow(targetProcessId)) {
std::cout <<
"The specified process has a window."
<< std::endl;
return
1
;
}
else
{
std::cout <<
"The specified process does not have a window."
<< std::endl;
return
0
;
}
}
int
VerifyEmbeddedSignature(LPCWSTR pwszSourceFile)
{
LONG
lStatus;
DWORD dwLastError;
/
/
Initialize the WINTRUST_FILE_INFO structure.
/
/
待验证文件的完整路径
WINTRUST_FILE_INFO FileData;
memset(&FileData,
0
, sizeof(FileData));
FileData.cbStruct
=
sizeof(WINTRUST_FILE_INFO);
FileData.pcwszFilePath
=
pwszSourceFile;
FileData.hFile
=
NULL;
FileData.pgKnownSubject
=
NULL;
/
*
WVTPolicyGUID specifies the policy to
apply
on the
file
WINTRUST_ACTION_GENERIC_VERIFY_V2 policy checks:
1
) The certificate used to sign the
file
chains up to a root
certificate located
in
the trusted root certificate store. This
implies that the identity of the publisher has been verified by
a certification authority.
2
) In cases where user interface
is
displayed (which this example
does
not
do), WinVerifyTrust will check
for
whether the
end entity certificate
is
stored
in
the trusted publisher store,
implying that the user trusts content
from
this publisher.
3
) The end entity certificate has sufficient permission to sign
code, as indicated by the presence of a code signing EKU
or
no
EKU.
*
/
GUID WVTPolicyGUID
=
WINTRUST_ACTION_GENERIC_VERIFY_V2;
WINTRUST_DATA WinTrustData;
/
/
Initialize the WinVerifyTrust
input
data structure.
/
/
Default
all
fields to
0.
memset(&WinTrustData,
0
, sizeof(WinTrustData));
WinTrustData.cbStruct
=
sizeof(WinTrustData);
/
/
Use default code signing EKU.
WinTrustData.pPolicyCallbackData
=
NULL;
/
/
No data to
pass
to SIP.
WinTrustData.pSIPClientData
=
NULL;
/
/
Disable WVT UI.
WinTrustData.dwUIChoice
=
WTD_UI_NONE;
/
/
No revocation checking.
WinTrustData.fdwRevocationChecks
=
WTD_REVOKE_NONE;
/
/
采用文件方式验证, 其他还有内存等
/
/
Verify an embedded signature on a
file
.
WinTrustData.dwUnionChoice
=
WTD_CHOICE_FILE;
/
/
Verify action.
WinTrustData.dwStateAction
=
WTD_STATEACTION_VERIFY;
/
/
Verification sets this value.
WinTrustData.hWVTStateData
=
NULL;
/
/
Not used.
WinTrustData.pwszURLReference
=
NULL;
/
/
This
is
not
applicable
if
there
is
no UI because it changes
/
/
the UI to accommodate running applications instead of
/
/
installing applications.
WinTrustData.dwUIContext
=
0
;
/
/
Set
pFile.
WinTrustData.pFile
=
&FileData;
/
/
当前操作是要验证签名,后面还需要调用一次关闭去释放从此次验证操作中得到的放在trustData中的数据
/
/
PS: 微软为啥老喜欢同一个接口换个flag就变成完全不同的功能,感觉用个FreeWinVerifyTrustedData之类的不好嘛。。(微软:你在教我做事?)
-
_
-
/
/
WinVerifyTrust verifies signatures as specified by the GUID
/
/
and
Wintrust_Data.
lStatus
=
WinVerifyTrust(
NULL,
&WVTPolicyGUID,
&WinTrustData);
switch (lStatus)
{
case ERROR_SUCCESS:
/
*
Signed
file
:
-
Hash
that represents the subject
is
trusted.
-
Trusted publisher without
any
verification errors.
-
UI was disabled
in
dwUIChoice. No publisher
or
time stamp chain errors.
-
UI was enabled
in
dwUIChoice
and
the user clicked
"Yes"
when asked to install
and
run the signed
subject.
*
/
/
/
只是验证了签名有效,但是到底是不是预期的签名者进行的签名还不确定, 可以进一步验证
wprintf_s(L
"The file \"%s\" is signed and the signature "
L
"was verified.\n"
,
pwszSourceFile);
return
1
;
break
;
case TRUST_E_NOSIGNATURE:
/
/
The
file
was
not
signed
or
had a signature
/
/
that was
not
valid.
/
/
Get the reason
for
no signature.
dwLastError
=
GetLastError();
if
(TRUST_E_NOSIGNATURE
=
=
dwLastError ||
TRUST_E_SUBJECT_FORM_UNKNOWN
=
=
dwLastError ||
TRUST_E_PROVIDER_UNKNOWN
=
=
dwLastError)
{
/
/
The
file
was
not
signed.
wprintf_s(L
"The file \"%s\" is not signed.\n"
,
pwszSourceFile);
return
0
;
}
else
{
/
/
The signature was
not
valid
or
there was an error
/
/
opening the
file
.
wprintf_s(L
"An unknown error occurred trying to "
L
"verify the signature of the \"%s\" file.\n"
,
pwszSourceFile);
return
0
;
/
/
无签名
}
break
;
case TRUST_E_EXPLICIT_DISTRUST:
/
/
The
hash
that represents the subject
or
the publisher
/
/
is
not
allowed by the admin
or
user.
wprintf_s(L
"The signature is present, but specifically "
L
"disallowed.\n"
);
return
0
;
/
/
无效签名
break
;
case TRUST_E_SUBJECT_NOT_TRUSTED:
/
/
The user clicked
"No"
when asked to install
and
run.
wprintf_s(L
"The signature is present, but not "
L
"trusted.\n"
);
return
-
1
;
break
;
case CRYPT_E_SECURITY_SETTINGS:
/
*
The
hash
that represents the subject
or
the publisher
was
not
explicitly trusted by the admin
and
the
admin policy has disabled user trust. No signature,
publisher
or
time stamp errors.
*
/
wprintf_s(L
"CRYPT_E_SECURITY_SETTINGS - The hash "
L
"representing the subject or the publisher wasn't "
L
"explicitly trusted by the admin and admin policy "
L
"has disabled user trust. No signature, publisher "
L
"or timestamp errors.\n"
);
return
-
1
;
break
;
default:
/
/
The UI was disabled
in
dwUIChoice
or
the admin policy
/
/
has disabled user trust. lStatus contains the
/
/
publisher
or
time stamp chain error.
wprintf_s(L
"Error is: 0x%x.\n"
,
lStatus);
return
-
1
;
break
;
}
/
/
设置flag为CLOSE, 然后释放掉上面申请出来的内存。。
/
/
Any
hWVTStateData must be released by a call with close.
WinTrustData.dwStateAction
=
WTD_STATEACTION_CLOSE;
lStatus
=
WinVerifyTrust(
NULL,
&WVTPolicyGUID,
&WinTrustData);
/
/
return
true;
}
int
VerifyEmbeddedSignature(LPCWSTR pwszSourceFile)
{
LONG
lStatus;
DWORD dwLastError;
/
/
Initialize the WINTRUST_FILE_INFO structure.
/
/
待验证文件的完整路径
WINTRUST_FILE_INFO FileData;
memset(&FileData,
0
, sizeof(FileData));
FileData.cbStruct
=
sizeof(WINTRUST_FILE_INFO);
FileData.pcwszFilePath
=
pwszSourceFile;
FileData.hFile
=
NULL;
FileData.pgKnownSubject
=
NULL;
/
*
WVTPolicyGUID specifies the policy to
apply
on the
file
WINTRUST_ACTION_GENERIC_VERIFY_V2 policy checks:
1
) The certificate used to sign the
file
chains up to a root
certificate located
in
the trusted root certificate store. This
implies that the identity of the publisher has been verified by
a certification authority.
2
) In cases where user interface
is
displayed (which this example
does
not
do), WinVerifyTrust will check
for
whether the
end entity certificate
is
stored
in
the trusted publisher store,
implying that the user trusts content
from
this publisher.
3
) The end entity certificate has sufficient permission to sign
code, as indicated by the presence of a code signing EKU
or
no
EKU.
*
/
GUID WVTPolicyGUID
=
WINTRUST_ACTION_GENERIC_VERIFY_V2;
WINTRUST_DATA WinTrustData;
/
/
Initialize the WinVerifyTrust
input
data structure.
/
/
Default
all
fields to
0.
memset(&WinTrustData,
0
, sizeof(WinTrustData));
WinTrustData.cbStruct
=
sizeof(WinTrustData);
/
/
Use default code signing EKU.
WinTrustData.pPolicyCallbackData
=
NULL;
/
/
No data to
pass
to SIP.
WinTrustData.pSIPClientData
=
NULL;
/
/
Disable WVT UI.
WinTrustData.dwUIChoice
=
WTD_UI_NONE;
/
/
No revocation checking.
WinTrustData.fdwRevocationChecks
=
WTD_REVOKE_NONE;
/
/
采用文件方式验证, 其他还有内存等
/
/
Verify an embedded signature on a
file
.
WinTrustData.dwUnionChoice
=
WTD_CHOICE_FILE;
/
/
Verify action.
WinTrustData.dwStateAction
=
WTD_STATEACTION_VERIFY;
/
/
Verification sets this value.
WinTrustData.hWVTStateData
=
NULL;
/
/
Not used.
WinTrustData.pwszURLReference
=
NULL;
/
/
This
is
not
applicable
if
there
is
no UI because it changes
/
/
the UI to accommodate running applications instead of
/
/
installing applications.
WinTrustData.dwUIContext
=
0
;
/
/
Set
pFile.
WinTrustData.pFile
=
&FileData;
/
/
当前操作是要验证签名,后面还需要调用一次关闭去释放从此次验证操作中得到的放在trustData中的数据
/
/
PS: 微软为啥老喜欢同一个接口换个flag就变成完全不同的功能,感觉用个FreeWinVerifyTrustedData之类的不好嘛。。(微软:你在教我做事?)
-
_
-
/
/
WinVerifyTrust verifies signatures as specified by the GUID
/
/
and
Wintrust_Data.
lStatus
=
WinVerifyTrust(
NULL,
&WVTPolicyGUID,
&WinTrustData);
switch (lStatus)
{
case ERROR_SUCCESS:
/
*
Signed
file
:
-
Hash
that represents the subject
is
trusted.
-
Trusted publisher without
any
verification errors.
-
UI was disabled
in
dwUIChoice. No publisher
or
time stamp chain errors.
-
UI was enabled
in
dwUIChoice
and
the user clicked
"Yes"
when asked to install
and
run the signed
subject.
*
/
/
/
只是验证了签名有效,但是到底是不是预期的签名者进行的签名还不确定, 可以进一步验证
wprintf_s(L
"The file \"%s\" is signed and the signature "
L
"was verified.\n"
,
pwszSourceFile);
return
1
;
break
;
case TRUST_E_NOSIGNATURE:
/
/
The
file
was
not
signed
or
had a signature
/
/
that was
not
valid.
/
/
Get the reason
for
no signature.
dwLastError
=
GetLastError();
if
(TRUST_E_NOSIGNATURE
=
=
dwLastError ||
TRUST_E_SUBJECT_FORM_UNKNOWN
=
=
dwLastError ||
TRUST_E_PROVIDER_UNKNOWN
=
=
dwLastError)
{
/
/
The
file
was
not
signed.
wprintf_s(L
"The file \"%s\" is not signed.\n"
,
pwszSourceFile);
return
0
;
}
else
{
/
/
The signature was
not
valid
or
there was an error
/
/
opening the
file
.
wprintf_s(L
"An unknown error occurred trying to "
L
"verify the signature of the \"%s\" file.\n"
,
pwszSourceFile);
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2023-10-4 20:39
被ShaShen4404编辑
,原因: