Shulou(Shulou.com)05/31 Report--

This article will explain in detail about the process from the analysis of CS Trojans to the development of kill-free tools. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Trojan horse is one of the common weapons for hackers to carry out network attacks, and some Trojans can avoid the detection and killing of antivirus software through the blessing of non-killing technology. The purpose of this paper is to help you better understand the Artifact generation mechanism of CS Trojans by analyzing the generation process of CS Trojans and developing kill-free tools.

Cobaltstrike is used for red team operations, APT attack simulation software, it has a very strong collaborative ability and incredible scalability.

Whether it's writing shellcode, creating custom C2 binary executables, or modifying code to hide malicious programs, they are all part of the red team's day-to-day work, and it's only natural to read and understand mature C2 framework code.

How CobaltStrike generates ShellCode

CS uses Swing for UI development, and finds the corresponding operation class in the dialog box directly in the code.

+ `ExecutableDialog.class` aggressor\ dialogs\ WindowsExecutableDialog.class`

You can see the clear generation logic.

Protected byte [] stager;@Overridepublic void dialogAction (final ActionEvent actionEvent, final Map options) {this.options = options; this.stager = DialogUtils.getStager (options); if (this.stager.length = = 0) {return;} final String string = options.get ("output") + "; String s ="; if (string.indexOf (" EXE ") >-1) {s =" artifact.exe " } else if (string.indexOf ("DLL") >-1) {s = "artifact.dll";} SafeDialogs.saveFile (null, s, this);}

Get the generated stager through DialogUtils.getStager () and then save the file through saveFile.

The getStager () method calls aggressor\ DataUtils.shellcode (), which is actually the interface to Stagers.

Return Stagers.shellcode (s, "x86", b)

Finally, in stagers\ Stagers.shellcode (), according to the listener type

The stagers\ GenericHTTPStager class inherited from GenericStager is instantiated and shellcode is generated by generate ()

When shellcode is generated, the resources/httpstager.bin is read and combined into Packer according to the listener's host and port equivalents.

Finally, it is replaced into multiple X and Y occupied bin files, and finally the shellcode of type bytes [] is returned.

Patch Artifact

After the shellcode generation is completed, returning to the origin, you can see that different artifact templates are patch according to the user's choice. Take the x86 template as an example.

Continue to follow up on patchArtifact

New ArtifactUtils (this.client) .patchArtifact (this.stager, "artifact32.exe", s)

+ `common\ BaseArtifactUtils.class`

Public byte [] patchArtifact (final byte [] array, final String s) {final Stack stack = new Stack (); stack.push (SleepUtils.getScalar (array)); stack.push (SleepUtils.getScalar (s)); final String format = this.client.getScriptEngine (). Format ("EXECUTABLE_ARTIFACT_GENERATOR", stack); if (format = = null) {return this.fixChecksum (this._patchArtifact (array, s));} return this.fixChecksum (CommonUtils.toBytes (format)) }

If you take a look at fixChecksum, you can see that the check code is fixed through the PE editor.

Without going into detail here, those who are interested in editor implementation can take a look at pe\ PEEditor.class

Final PEEditor peEditor = new PEEditor (array); peEditor.updateChecksum (); return peEditor.getImage ()

Notice here that this._patchArtifact (array, s) calls a method with the same name, PS: I almost thought I was looking at Python

Read the artifact32.exe under the resources folder as the template file, according to the duplicate 1024 A to locate the shellcode location.

Similar to when generating shellcode, use common/CommonUtils.replaceAt () to edit and replace the string converted by the bytes stream.

Public static String replaceAt (final String s, final String S2, final int n) {final StringBuffer sb = new StringBuffer (s); sb.delete (n, n + s2.length ()); sb.insert (n, S2); return sb.toString ();}

Using the hexadecimal editor, you can directly see the location where the flag stores the shellcode.

It is worth mentioning that the pe file after replacing shellcode, because the length of shellcode does not fully cover the identification of 1024 A, generally generated exe will leave some characters, of course, this will not affect the implementation of shellcode.

Shellcode Launcher

Using the loader to remotely connect back to get the next stage of payload loading into memory to avoid software detection, this VirtualAlloc-to-WriteProcessMemory memory allocation mode has long been widely used by many remote control Trojans.

In their latest introduction video, CS developers disclose some of the source code of artifact and demonstrate how to bypass Defender by modifying the loader.

He avoided most of the soft killing by using HeapAlloc instead of VitualAlloc.

On this basis, we added the function of XOR encryption to shellcode, and obviously a very compact C++-based shellcode loader has been formed.

Then, referring to the way CS does, place a large number of repetitive placeholders as positioning in the buf where the shellcode should have been placed.

Python-c "print (1024 cycles A')"

Compile it to template.exe with VisualStudio or MingW

Develop kill-free gadgets

Then create a new JavaFx project, style and part of the code refer to a chaos kill-free helper.

To sort out the process, we first need to preprocess the shellcode of CS or MSF, then XOR encryption, read the template file, locate to the shellcode location, overwrite, and finally save.

There are many classes that can be copied directly from CS and can be used.

Focus on xor. In order to be consistent with launcher decryption, you need to convert it to int for XOR, then go back to hex, and finally package it to jar.

Generate payload of veil type, copy and paste, generate, save.

The final kill-free effect depends on the Launcher template, and as a very concise template with little change, the effect has been unexpected.

After all, the purpose is not to pursue the kill-free effect, but should focus on understanding the Artifact generation mechanism of the CS Trojan horse.

From the analysis of the CS Trojan horse generation to the development of kill-free tools how the process is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.