2020年即将结束,我看过许多不同种类的杀毒规避方法。值得注意的是,之前的反钩挂技术再次兴起,可以应用于AV和EDR系统。如果我们被钩住了,那是谁在钩我们?若要检查杀毒软件或EDR系统是否已经安装好,可以用WMIC查询Windows安全中心记录的杀软。
wmic /node:localhost /namespace:\\root\SecurityCenter2 path
AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No
Antivirus installed
(由StackOverflow的Sam Denty提供)
该方法适用于大多数情况。但如果杀毒软件或EDR系统注册了Windows安全中心的命名空间,那么该方法只返回一个字符串。如果软件尚未注册,那么查询失败。由于我们依靠的是安全无毒的软件来注册,我决定用不同的路径。本文用于记录杀毒后的残留物:计算机上的杀软能指出是否已经安装了安全无毒的软件,这样一来,我们就不用依赖Windows安全中心的命名空间。
本文描述了以下几款杀软:
- 小红伞(Avira):无法检测挂钩,可以定位驱动程序/minifilters
- F-secure:无法检测挂钩,可以定位驱动程序/minifilters
- 诺顿(Norton):3个被钩住的DLL,可以定位驱动程序/minifilters
- 趋势科技(TrendMicro):3个被钩住的DLL,可以定位驱动程序/minifilters
- WebRoot:5个被钩住的DLL,可以定位驱动程序/minifilters
- 比特梵德(BitDefender):6个被钩住的DLL,可以定位驱动程序/minifilters
- MalwareBytes:8个被钩住的DLL,可以定位驱动程序/minifilters
以上杀软纯属随机筛选,排位也是随机的。攥写本文的目的是为了回答以下问题:
什么功能会被钩住?
如果系统上有杀毒软件,那么是哪个杀毒软件?
小红伞(Avira)
驱动程序:
名称 | 描述 | 路径 |
avkmgr.sys | 小红伞管理驱动程序 | C:\Windows\System32\Drivers\ |
avipbb.sys | 小红伞增强安全性能的驱动程序 | C:\Windows\System32\Drivers\ |
avusbflt.sys | 小红伞USB过滤驱动程序 | C:\Windows\System32\Drivers\ |
avdevprot.sys | 小红伞USB功能驱动程序 | C:\Windows\System32\Drivers\ |
avnetflt.sys | 小红伞WFP网络驱动程序 | C:\Windows\System32\Drivers\ |
avgntflt.sys | 小红伞Minifilter驱动程序 | C:\Windows\System32\Drivers\ |
F-secure
驱动程序:
名称 | 描述 | 路径 |
nif2s64.sys | F-Secure NIF2核心驱动程序 | ProgramFilesx86\F-Secure\ |
fshs.sys | DG 64位内核模块 | ProgramFilesx86\F-Secure\ |
fsulgk.sys | F-Secure Gatekeeper 64 位 | ProgramFilesx86\F-Secure\ |
诺顿(Norton)
驱动程序:
名称 | 描述 | 路径 |
BHDrvx64.sys | Bash驱动程序 | ProgramFile\NortonSecurity \NortonData\..\ |
IDSVia64.sys | IDS核心驱动程序 | ProgramFile\NortonSecurity \NortonData\..\ |
SymEvnt.sys | 赛门铁克事件平台 | ProgramFile\NortonSecurity \NortonData\..\ |
被挂钩的函数
KERNELBASE.DLL
VirtualAllocEx | CreateFileMappingW | CreateFileMappingNumaW |
CreateFileW | MapViewOfFile | VirtualProtect |
HeapCreate | VirtualAlloc | MapViewOfFileEx |
CreateRemoteThreadEx | WriteProcessMemory | VirtualProtectEx |
NTDLL.DLL
RtlAddVectoredExceptionHandler | RtlRemoveVectoredExceptionHandler | LdrLoadDll |
RtlCreateHeap | NtSetInformationProcess | NtMapViewOfSection |
NtWriteVirtualMemory | NtCreateSection | NtProtectVirtualMemory |
NtCreateFile | NtCreateProcess | NtCreateThreadEx |
NtCreateUserProcess | KiUserExceptionDispatcher | N/A |
KERNEL32.DLL
CreateFileMappingA | SetProcessDEPPolicy | VirtualAlloc |
MapViewOfFile | CreateFileMappingW | VirtualProtect |
HeapCreate | MapViewOfFileEx | CreateRemoteThread |
VirtualAllocEx | VirtualProtectEx | WriteProcessMemory |
WinExec | N/A | N/A |
趋势科技(TrendMicro)
驱动程序:
名称 | 描述 | 路径 |
TMBEC64.sys | 趋势科技早期启动驱动程序 | C:\Windows\System32\Drivers\ |
tmnciesc.sys | 趋势科技NICE扫描器 | C:\Windows\System32\Drivers\ |
tmeevw.sys | 趋势科技鹰眼驱动程序 | C:\Windows\System32\Drivers\ |
tmeyes.sys | 趋势科技鹰眼驱动程序模块 | C:\Windows\System32\Drivers\ |
TMUMH.sys | 趋势科技UMH驱动程序x64 | C:\Windows\System32\Drivers\ |
tmusa.sys | 趋势科技Osprey扫描驱动程序 | C:\Windows\System32\Drivers\ |
DLL:
名称 | 描述 | 路径 |
tmmon64.dll | 趋势科技UMH检测引擎 | System32\tmumh\20019\..\ |
TmUmEvt64.dll | 趋势科技用户模式钩子 | System32\tmumh\20019\..\ |
TmAMSIProvider64.dll | 趋势科技AMSI提供者模块 | System32\TmAMSI\TmAMSIProvider64.dll |
被挂钩的函数
KERNELBASE.DLL
CreateFileA | CreateFileW | LoadLibraryExW |
CreateFileMappingW | LoadLibraryExA | CreateRemoteThreadEx |
VirtualAlloc | MapViewOfFile | VirtualProtect |
HeapCreate | WriteProcessMemory | VirtualProtectEx |
LoadLibraryA | LoadLibraryW | N/A |
KERNEL32.DLL
NTDLL.DLL
RtlCreateHeap | LdrUnloadDll | LdrUnloadDll |
NtMapViewOfSection | NtUnmapViewOfSection | NtContinue |
NtCreateSection | NtProtectVirtualMemory | NtCreateFile |
NtSetContextThread | N/A | N/A |
WebRoot
驱动程序:
名称 | 描述 | 路径 |
WRkm.sys | Webroot SecureAnywhere | C:\Windows\System32\Drivers\ |
DLL:
名称 | 描述 | 路径 |
WRusr.dll | Webroot SecureAnywhere | Windows\SysWOW64\WRusr.dll |
被挂钩的函数
ADVAPI32.DLL
OpenSCManagerW | OpenServiceW | OpenSCManagerA |
StartServiceW | ControlService | CreateServiceA |
CreateServiceW | DeleteService | OpenServiceA |
StartServiceA | WmiExecuteMethodW | N/A |
USER32.DLL
PostThreadMessageA | PostMessageA | SendMessageA |
SendMessageTimeoutA | SetWindowTextA | CreateWindowExA |
SetWindowsHookExA | DrawTextExW | CreateWindowExW |
PostMessageW | SendMessageW | SetWindowTextW |
PostThreadMessageW | SendMessageTimeoutW | SetWindowsHookExW |
SetWinEventHook | SendMessageCallbackW | SendNotifyMessageW |
ExitWindowsEx | MessageBoxTimeoutW | SendMessageCallbackA |
KERNELBASE.DLL
OutputDebugStringA | CreateProcessInternalW | N/A |
NTDLL.DLL
NtWaitForSingleObject | NtDeviceIoControlFile | NtRequestWaitReplyPort |
NtOpenProcess | NtMapViewOfSection | NtTerminateProcess |
NtDelayExecution | NtWriteVirtualMemory | NtOpenEvent |
NtAdjustPrivilegesToken | NtQueueApcThread | NtCreateEvent |
NtCreateSection | NtCreateThread | NtProtectVirtualMemory |
NtTerminateThread | NtWaitForMultipleObjects | NtSetValueKey |
NtAlpcConnectPort | NtAlpcCreatePort | NtAlpcCreatePortSection |
NtAlpcCreateSectionView | NtAlpcSendWaitReceivePort | NtAssignProcessToJobObject |
NtConnectPort | NtCreateMutant | NtCreatePort |
NtCreateSemaphore | NtCreateThreadEx | NtDeleteKey |
NtDeleteValueKey | NtMakeTemporaryObject | NtOpenMutant |
NtOpenSemaphore | NtOpenThread | NtQueueApcThreadEx |
NtRequestPort | NtSecureConnectPort | NtSetContextThread |
NtShutdownSystem | NtSystemDebugControl | CsrClientCallServer |
URLMON.DLL
URLDownloadToFileW | URLDownloadToFileA | N/A |
WININET.DLL
InternetOpenA | InternetCloseHandle | InternetOpenUrlA |
GDI32.DLL
KERNEL32.DLL
RPCRTT4.DLL
RpcSend | RpcSendReceive | NdrSendReceive |
比特梵德(BitDefender)
驱动程序:
名称 | 描述 | 路径 |
atc.sys | BitDefender主动威胁服务 | C:\Windows\System32\Drivers\ |
DLL:
名称 | 描述 | 路径 |
bdhkm64.dll | BitDefender钩住DLL | Program Files\BitDefender AntivirusFree\bdkdm\...\ |
atcuf64.dll | BitDefender主动威胁服务 | Program Files\BitDefender AntivirusFree\atcuf\...\ |
被挂钩的函数
KERNELBASE.DLL
DefineDosDeviceW | CreateProcessW | CreateProcessA |
CreateProcessInternalA | CreateProcessInternalW | PeekConsoleInputW |
CloseHandle | DeleteFileW | OpenThread |
CreateRemoteThreadEx | GetProcAddress | MoveFileWithProgressW |
MoveFileExW | GetModuleBaseNameW | GetModuleInformation |
GetModuleFileNameExW | EnumProcessModules | SetEnvironmentVariableW |
EnumDeviceDrivers | SetEnvironmentVariableA | QueueUserAPC |
GetLogicalProcessorInformationEx | LoadLibraryA | LoadLibraryW |
GetLogicalProcessorInformation | GetApplicationRecoveryCallback | EnumProcessModulesEx |
PeekConsoleInputA | ReadConsoleInputA | ReadConsoleInputW |
GenerateConsoleCtrlEvent | ReadConsoleA | ReadConsoleW |
CreateRemoteThread | N/A | N/A |
USER32.DLL
SetWindowsHookExW | CallNextHookEx | FindWindowExA |
SendMessageA | PeekMessageA | PeekMessageW |
GetDesktopWindow | SendMessageW | SetWindowLongW |
GetKeyState | PostMessageW | EnumDesktopWindows |
EnumWindows | GetMessageW | SystemParametersInfoW |
FindWindowW | GetAsyncKeyState | SetPropW |
FindWindowExW | GetDC | GetMessageA |
SystemParametersInfoA | SendNotifyMessageW | SetWinEventHook |
PostMessageA | UnhookWindowsHookEx | GetClipboardData |
SetWindowLongA | SetClipboardData | SendNotifyMessageA |
GetDCEx | GetKeyboardState | GetRawInputData |
GetWindowDC | RegisterRawInputDevices | SetWindowsHookExA |
FindWindowA | SetPropA | N/A |
COMBASE.DLL
CoCreateInstance | CoGetClassObject | N/A |
KERNEl32.DLL
Process32NextW | CreateToolhelp32Snapshot | MoveFileExA |
MoveFileWithProgressA | DefineDosDeviceA | N/A |
GDI32.DLL
CreateDCW | BitBlt | CreateCompatibleDC |
CreateBitmap | CreateDCA | CreateCompatibleBitmap |
NTDLL.DLL
RtlImageNtHeaderEx | NtSetInformationThread | NtClose |
NtOpenProcess | NtMapViewOfSection | NtUnmapViewOfSection |
NtTerminateProcess | NtWriteVirtualMemory | NtDuplicateObject |
NtReadVirtualMemory | NtAdjustPrivilegesToken | NtQueueApcThread |
NtCreateProcessEx | NtCreateThread | NtResumeThread |
NtAlpcConnectPort | NtAlpcCreatePort | NtAlpcSendWaitReceivePort |
NtCreateProcess | NtCreateThreadEx | NtCreateUserProcess |
NtQuerySystemEnvironmentValueEx | NtRaiseHardError | NtSetContextThread |
NtSetSystemEnvironmentValueEx | RtlWow64SetThreadContext | RtlReportException |
MalwareBytes
驱动程序:
名称 | 描述 | 路径 |
mbae64.sys | MalwareBytes反漏洞利用 | C:\Windows\System32\Drivers\ |
farft.sys | MalwareBytes Bytes Antiransomware | C:\Windows\System32\Drivers\ |
MbamChameleon.sys | MalwareBytes Chameleon | C:\Windows\System32\Drivers\ |
mbam.sys | MalwareBytes实时保护 | C:\Windows\System32\Drivers\ |
mbamswissarmy.sys | MalwareBytes SwissArmy | C:\Windows\System32\Drivers\ |
mwac.sys | MalwareBytes网络保护 | C:\Windows\System32\Drivers\ |
DLL:
名称 | 描述 | 路径 |
mbae.dll | MalwareBytes反漏洞利用 | Program Files\MalwareBytes\AntiMal ware\mbae.dll |
被挂钩的函数
MSCVRT.DLL
WSA_32.DLL
SHELL32.DLL
ShellExecuteW | ShellExecuteExW | N/A |
NTDLL.DLL
ResolveDelayLoadedAPI | GetDllHandle | CreateProcessInternalW |
NtAllocateVirtualMemory | NtProtectVirtualMemory | N/A |
KERNELBASE.DLL
VirtualAllocEx | CreateProcessW | CreateProcessInternalW |
GetModuleHandleW | CreateFileW | LoadLibraryExW |
VirtualProtect | HeapCreate | VirtualAlloc |
WriteProcessMemory | CreateFileA | VirtualProtectEx |
CreateProcessA | CreateProcessInternalA | N/A |
URLMON.DLL
URLDownloadToFileW | URLDownloadToCacheFileA | URLDownloadToCacheFileW |
URLDownloadToFileA | URLOpenBlockingStreamA | URLOpenBlockingStreamW |
URLOpenStreamA | URLOpenStreamW | N/A |
WININET.DLL
InternetReadFile | InternetReadFileExW | HttpOpenRequestW |
HttpSendRequestW | HttpSendRequestExW | HttpSendRequestA |
HttpSendRequestExA | InternetOpenUrlA | InternetOpenUrlW |
HttpOpenRequestA | N/A | N/A |
KERNEL32.DLL
SetProcessDEPPolicy | CopyFileA | MoveFileA |
MoveFileW | CopyFileW | WinExec |
总结
本文展现了杀软以下特点:
一些杀软需要依靠旧的恶意软件方法和技术。
一些杀软无法监测网络流量,若要检测网络流量,这些杀软必须是完全独立的软件,会向客户收取额外费用。
一些杀软无法检测API转发,让恶意软件的作者有机会从NTDLL而不是KERNELBASE或KERNEL32的姐妹DLL发起功能调用,完全绕过API钩子。
许多杀软依靠YARA规则,或者YARA执行基本静态二进制分析的操作。
我在自己开发的键盘记录器上测试了本文提到的杀软。这个键盘记录器叫“UnderTaker.exe”,它用USER32.dll中的RegisterRawInputDevices和GetRawInputData函数键盘记录用户输入。在测试环境中,除了F-Secure和BitDefender,它基本规避了所有杀软。在本文所讲到的杀软里,能检测RegisterRawInputDevices和GetRawInputData函数的只有BitDefender。
POC IOC:
2a419d2ddf31ee89a8deda913abf1b25d45bb0dc59a93c606756cfa66acb0791