免杀对抗-C2远控篇&C&C++&抗沙箱虚拟机&抗逆向调试&动态密钥抗分析&对抗VT云感知
对抗杀毒和感知云沙箱
常见沙盒沙箱检测技术
常见调试分析检测技术
https://github.com/a0rtega/pafish/
https://github.com/Arvanaghi/CheckPlease
https://github.com/wanttobeno/AntiDebuggers
https://github.com/LordNoteworthy/al-khaser
https://github.com/ZanderChang/anti-sandbox
https://github.com/nek0YanSu/CheckVM-Sandbox
https://github.com/sunn1day/malware-anti-techniques
https://bbs.kanxue.com/thread-225740.htm
https://anti-debug.checkpoint.com/techniques/debug-flags.html
➢C2远控-抗沙盒沙箱-机器特征&真机判断
举例:(唯一性)-原型&APC&XOR等
参考:https://github.com/ZanderChang/anti-sandbox
1、自定义循环延时执行:不使用自带的sleep,循环打印浪费时间
int seep()
{
int i = 0;
int j = 0;
char* strpi = NULL;
strpi = (char*)malloc(10000);
for (i = 0; i < 10000; i++)
{
strpi[i] = 0;
printf("%d,%d\n", strpi[i], i);
}
for (j = 0; j < 300; j++)
{
printf("%d,%d\n", strpi[j], j);
}
free(strpi);
return 0;
}
HANDLE hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
WaitForSingleObject(hEvent, 10000);
printf("hello world\n");
CloseHandle(hEvent);
return 0;
2、检测目录文件是否正确:判断真机常见软件目录或当前目录自行创建的
bool Is_File_Exist(const std::string& file_path)
{
std::ifstream file(file_path.c_str());
return file.good();
}
BOOL isFileExists(TCHAR* szPath) {
DWORD dwAtrribt = GetFileAttributes(szPath);
return (dwAtrribt != INVALID_FILE_ATTRIBUTES) && !(dwAtrribt &
FILE_ATTRIBUTE_DIRECTORY);
}
BOOL isDirExists(TCHAR* szPath) {
DWORD dwAtrribt = GetFileAttributes(szPath);
return (dwAtrribt != INVALID_FILE_ATTRIBUTES) && (dwAtrribt &
FILE_ATTRIBUTE_DIRECTORY);
}
BOOL isExistsRegkey(HKEY hKey, TCHAR* regkey_s) {
HKEY regkey;
DWORD ret;
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key);
if (ret == ERROR_SUCCESS) {
RegCloseKey(regkey);
return TRUE;
}
else
return FALSE;
}
3、检测目标特征是否正确:判断真机目标IP地址或计算机名,用户名等特征
int gensandbox_username() {
char username[200];
size_t i;
DWORD usersize = sizeof(username);
GetUserNameA(username, &usersize);
for (i = 0; i < strlen(username); i++) {
username[i] = toupper(username[i]);
//printf(username);
}
if (strstr(username, "ADMIN") != NULL) {
return TRUE;
}
return FALSE;
}
➢C2远控-抗逆向调试-API&调试器行为功能
举例:(唯一性)-原型&APC&XOR等
参考:https://bbs.kanxue.com/thread-225740.htm
1、使用WindowsAPI
BOOL CheckDebug()
{
return IsDebuggerPresent();
}
BOOL CheckDebug()
{
BOOL ret;
CheckRemoteDebuggerPresent(GetCurrentProcess(), &ret);
return ret;
}
2、识别调试器行为
3、干扰调试器的功能
