当前位置:主页 > 数据安全 >

ddos防御攻击_服务器防火墙开放端口_零误杀

时间:2021-07-16 15:04来源:E度网络 作者:E度网络 点击:

ddos防御攻击_服务器防火墙开放端口_零误杀

In 2015,Microsoft introduced the Antimalware Scan Interface)(AMSI)as a generic application programming interface)(API)for software applications to integrate with any installed antivirus(AMSI allows developers of scripting engines such as Python,Ruby,or even Microsoft's very own Powershell to request the system's AV to scan the script contents to determine if the script is malicious or benign prior to executing it.Malicious actors and red teamers have increasingly turned to scripts,like VBScript or Powershell,as not only an infection vector but also for post-exploitation activity such as dumping credenials or ransoming files in these"file-less malware"attacks.A number of prooffs of concept have been released in the past,such as PSAmsi and amsiscanner,that demonstrate how to write an AMSI client.However,very little has been written on actually implementing an AMSI provider.The documentation is severely lacking,so we're going to change that.Powering the COMponentsSince PowerShell is open-source,we can examine how a script gets scanned via AMSI prior to execution.The script is ultimately compiled prior to execution by the ReallyCompile function inSystem.Management.AutomationPrior to compilation,a call to PerformSecuritychecks is executed which callsAmsiutils.ScantContent和subsequently calls WinscanContent。WinscanContent sets up the AMSI session and context and calls amsi!AmsiSccanString。which calls the IAntimalwareProvider:(Scan)method for each registered AMSI provider in order which returns an AMSIu RESULT enumeration.If a provider returns a result other than AMSIu RESULTu NOTu DETECTED,the scanning stops and returns the results without calling the remaining providers.Registering a ProviderAMSI provider is a COM object that implements the IAntimaleware Provider COM interface.AMSI providers must register themselves by creating a CLSID entry in HKLM卧底当AMSI是在主机过程中启动)powershell.exe,winword.exe,mshta.exe,etc.,(it will enumerate each CLSID listed in the Providers key and initialize the COM object).(见AMSI registration is provided below in the DllRegisterserver)method.DLL can be registered by calling regsvr32.exewith Administrator privileges:DEFINE DE GUUID)CLSID D D U MyAMAMMSIProvider,0x2facaae,0x5213,0x5213,0x42c7,0x9b,0x65,0x12,0x3a,0xe7,0x10,0x10,0x13,0xa8;static const TCHAR gc Gc 0x13,0x13,0x2mszclassdesdesscription,0x2facaae,0x2facaae,0x222222x52x52x52x522222222x2222222x22222x22222x222222222222xx22222x222H.E.Both.;static const TCHAR gc u szThreatingModel]=TEXT)"static const TCHAR gcu szInProcServer[]=TEXT];static HMODULE gu hmodule=NULL;BOL APIENTRY DllMain):《HMODULE hmodule》,DWORD dwreason,LPVOID lpreserved.){switch(dwreason){DLLu PROCESSu ATTACH:(+g u hmodule=hmodule;;break;DLL.u THREAD.u ATTACH::DLL.U THREAD.U下述案件:DLL.u PROCESSS名称DETACH案:break;}return TRUE;STDAPI DLRegisteserver.)){HRESULTI DllRegistrserver){HRESULT hr=S强强强行;LONG LRet=ERROR \ U SUCCESS;HKEY HClClclosidKey=NULL;HKEY hl吉尔吉斯斯坦DLLLLRRRSRSRSRSRSRSRSRSRSRSRSRSRSRSDAPI({);;;;;{{{};{S HRSULTULTG;LLLLLLLLLLLLLLLLLLLLLLLNUL;TCHAR ssssszRegRegRegRRRRRRRRRRRRRRRZRRRRRRRRRRR=0};TCHAR szFile[MAX.u path]=0};CoInitialize NULL)l Ret=Getmodulefile)【g.u hmodule,szFile,sizeof)【szFile】hr=stringfromCLSID)&CLSID:/u MyAMSIPOVIder,&lpszguid;if):(AILED)goto done;hr=stringcbprintf)【szRegKey,sizeof)【szRegKey,TEXT】"hr=StringcbPrintf)(szAMSIProvider,TEXT):《Microsoft数据库名称???l Ret=RegCreateKeyEx)(HKEYu CLASESòROT,szRegKey,0,NULL,REGu OPTIONu NONu VOLATILE,KEYu SETu VALUE)(=ERROR.u SUCCESS{hr=HRESULT u FROMu WIN32){lret;goto done;}l Ret=RegSetValueEx)(hlsidKey,NULL,0,REGu SZ,))=ERROR.u SUCCESS{hr=HRESULT u FROMu WIN32){lret;goto done;}l Ret=RegCreateKeyEx)(hlsidKey,gc?u szInserver,0,NULL,REG?u OPTION?u NON?u VOLATILE,KEY?u SET?u VALUE,NULL,阿里云ddos防御,&hInProcKey,NULL-;if lret!=ERROR.u SUCCESS{hr=HRESULT u FROMu WIN32){lret;goto done;}LRet=regsetvalueEx)【hInProcKey,NULL,0,REG Gu SZ,))=ERROR.u SUCCESS{hr=HRESULT u FROMu WIN32){lret;goto done;}l Ret=RegSetValueEx)【hInProcKey,gc?u szThreatingModel,家庭网络ddos防御,0,REG?u SZ,))=ERROR.u SUCCESS{hr=HRESULT u FROMu WIN32){lret;goto done;}l Ret=RegCreateKeyEx)(HKEYu LOCALMACHINE,sZAMSIProvider,0,ddos防御典型事件,NULL,REGu OPTIONu NONu VOLATILE,KEYu SETu VALUE)(KEY u CREATEu KEY,NULL,&hsikey,NULL=ERROR.u SUCCESS{hr=HRESULT u FROMu WIN32){lret;goto done;}done:if)【hInProcKey!】==null)regcloseKey)hInProcKey;if)(=NULL)regcloseKey)如果lpszguid)(=NULL)CoTaskMemfree)(return hr;现在,我们可以接受AMSI呼叫backs,几万条cc攻击怎么防御,我们需要执行IAntimalware Provider::)The method below enumerates the various attributes of the Iamsistream:AMSI O ATTRIBUTE DE APP U NAME–application name such as OFFICEu VBAAMSI U ATTRIBUTE名称AMSI U ATTRIBUTE \u CONTENT \u SIZE-script buffer sizeAMSI U ATTRIBUTE \u CONTENT \u ADDRESS-pointer to script bufferHRESULTSTDMETHOODCALTLTYPE MyAMISISIProvder远程Scan)IAntimawareProvider*This,IAmsiStream*stream*stream,AMSI。*STDDDMETHOODCALTLTYPE MyAMAMISISISISISISISISSULTLT**result{HRESULT HARSUULT***HRDDDDDDDDDDDDDDDMODDDDDDDDDDDDDDDDDDDDLDLLPSTR MUCLLLLLLLLLLLLLLLLLLLLLLLLLLLLLPPWWWszzzzSTR WszFIZZZZFIULONG ulretData=0;DWORD dwret=0;CHAR lppath[MAX.u path+1]={0};CHAR lpFile[MAX.u path]=0};HANDLE hFile=NULL;BOL bSuccess=FALSE;stream->lpvtbl->(addRef)stream(//get the program executing the script.hr=stream->lpvtbl---->Gettatribute)stream,AMSI:/u ATRIBUTE \APP.u NAME,0.,PUHAR wszApp,&ulretData;if hr.)*E O O O O O O O O O O O O O U SUFFFICIENTU BUFFER)goto get名称;wsz苹果=VirtualAlloc)NULL,UlretData,UlrretData,MEM M M′E O O O O O O O O O O O O O O O O O O O,UUUFUFFFFFFFFFFFFFBEBEBEBEBEBEBEBEBEBE(U U U U U;wszzzZZZZZZZZZZZZZZZZZULL)要获得一个名名名;hr=stream,ULLVVLTLTLTLTLTLTLTLTLTLTETETETETETETETETETETETETETETETETETETETETETETETET(m),AMSI \ U ATTRIBUTE \ U APP \ U NAME,ulretData,(&ulretData(如果)(get u name://get the file name of the script.hr=stream>lpvtbl->Gettatribute)stream,AMSI:/u ATRIBUTE DE CONTENT DU NAME,0,),PUHAR wszFile,&ulretData,;if)(*E O O O O O O O O O O O U SUFFFICIENTU BUUFFER)goto get the U size;wszFile=VirtualAlloc)NULL,ULL,ulretData,MEM \ COMMIT*U SUUFUFFICIENET(U UFUFFFER)gozzZZZZZZZZZZZZFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF(e)stream,AMSIATTRIBUTEu CONTENTu NAME,UlretData,wszFile;,&ulretData;)如果(FAILED):(hr)goto get eu size;get u size://get the size of the script data.hr=stream>lpvtbl--getAttribute)stream,AMSIu ATRIBUTEu CONTENTu SIZE,sizeof)(ulsize meter,&ullsize,&ullsize,&ulletData,;if)(//get a pointer to the script data.hr=stream--lpvtbl--Gettatribute)stream,AMSI、AMSI、U ATRIBUTE、U CONTENT、u ADDRESS、sizeof)pBuf编辑,)、PUHAR和pBuf、UlretData(如果)(dwret=Gettempatha)sizeof)lppath,lppath作为一个对象;如果(dwret=GetTempfilenamea),"lppath,","0,lpfile;如果(/Perform script analysis herehfile=createfile)(b Success=writeFile)(hFile),pBuf,))done:*result=AMSI?U RESULT?U?NOT?U DETECTED;//Do nothing//*result=AMSI?u RESULT?u DETECTED;//Block all the things?if)((如果)wszApp)if)(wszFile)Virtualfree)(wszFile),0,维盟路由器ddos防御,MEMu REEASE;stream->lpvtbl->Release)";return hr;

推荐文章
最近更新